Y2k Risk Management: Contingency Planning, Business Continuity, and Avoiding Litigationby Steven H. Goldberg
"It is naive to think we will all be prepared for Y2K by December 31, 1999. This is an important and timely book in which the authors provide clear and cogent advice for managing the entire spectrum of Year 2000 business and legal risks." -Dr. Edward Yardeni, Chief Economist, Deutsche Bank Securities Y2K Risk Management Every organization needs an effective risk
"It is naive to think we will all be prepared for Y2K by December 31, 1999. This is an important and timely book in which the authors provide clear and cogent advice for managing the entire spectrum of Year 2000 business and legal risks." -Dr. Edward Yardeni, Chief Economist, Deutsche Bank Securities Y2K Risk Management Every organization needs an effective risk management strategy to address Year 2000 business and legal risks, even if your own computer systems are repaired and tested. Your vendors may be unable to deliver supplies and customers unable to pay invoices. Failures of public and private infrastructure systems-such as power, water, and transportation-could cause major operational disruptions. If you suffer Y2K financial losses, you may need to seek compensation from responsible parties. Or if you are unable to meet contractual, fiduciary, or regulatory obligations as a result of Year 2000 problems, you may face litigation. This indispensable guide reveals the legal landscape unique to Y2K and covers such vital topics as:
• Business and legal risk assessment
• Identifying and safeguarding mission-critical business functions
• Fast-tracking a Y2K project
• Evaluating and protecting the supply chain
• Developing contingency plans and fall-back procedures
• Preparing a legal audit and reducing liability exposure
• Substantiating due diligence of Y2K compliance efforts
• Implications of the Year 2000 Information and Readiness Disclosure Act, SEC disclosure rules, and independent auditing guidelines
• Insurance coverage issues
• Exercising fiduciary duties and protecting corporate officers and information technology professionals
• Litigation planning and alternative dispute resolution
- Publication date:
- Product dimensions:
- 7.50(w) x 9.25(h) x 0.73(d)
Read an Excerpt
Year 2000 Business
and Legal Risks
"A pessimist is a well-informed optimist."
REPRESENTATIVE CONSTANCE MORELLA
In this chapter, we will provide an overview of Year 2000 risks, including their potential scope and severity, to help you structure effective risk response strategies. To begin, we will focus on the risks side; in the rest of the book we will describe the affirmative steps your organization can take to avoid Y2K perils and mitigate their harms. As you will see, potential Year 2000 business and legal risks are so vast in their scope and diversity that this entire chapter can serve as only an introduction. In subsequent chapters, we will focus in detail on each of the risk areas outlined here.
Y2K Casualties: Your Business, Customers, and Career
Significant Y2K failures, should they occur, are likely to have extremely serious business and legal consequences. Regardless of how you may view the sufficiency of the efforts being made to prevent Year 2000 problems, if the rate of repair and level of testing are not accelerated, last-minute responses or "fix-on-failure" strategies probably won't be enough to prevent severe business disruptions (Jones, 1998a).
Sources of Risk
Year 2000 risk comes from many quadrants; together, minor but simultaneous Y2K events can form waves of disruptions that may spread throughout the business world and the global economy. Every organization needs to think systematically about multiple categories of risk so as not to lose sight of the forest for the trees. We will start by looking at the basic sources of Year 2000 business risks and work our way up to higher levels of risk exposure. Then, we'll consider the possible business and legal consequences.
Internal IT Systems
Internal IT systems are the most obvious source of potential Y2K failures and the risk most under the company's immediate control. Vulnerable technologies include mainframes, client/server systems, networks, intranets, personal computers (PCs), and other components of hardware and software infrastructure, as well as application programs, utilities, databases, and so on. The nature of Y2K risk often depends on the extent to which components of information systems are under the company's direct control. You may have a combination of systems, including applications that were developed entirely in-house, plain vanilla or modified commercial off-the-shelf (COTS) programs, and custom-built systems and applications. Many companies use software developed by third parties to provide expert application and systems development not available in-house. Vendors, however, may not be willing to provide the level of Y2K support you require because they now face risks to their own bottom lines and possible liability exposures from their noncompliant products.
Companies often depend on maintenance and support agreements with multiple vendors responsible for different parts of the system, strung together over time. Dealing with multiple vendors of IT products and services is difficult enough in normal times; it is fair to assume that Y2K will stress these relationships in new and unpredictable ways. The patchwork quilt of interdependent technologies upon which most companies rely creates additional difficulties because Year 2000 requires assessment, remediation, and testing of an entire system for which no single vendor bears sole responsibility. Indeed, it has become common to define Y2K compliance (about which we will have more to say in Chapter 4, "Reducing Liability Exposure") by accounting for such interdependencies. For example, the Federal Acquisitions Regulation's definition includes a qualifier that a product is compliant "to the extent that other information technology, used in combination with the information technology being acquired, properly exchanges date/time data with it."
Embedded and Non-IT Systems
Embedded systems are "devices used to control, monitor or assist the operation of equipment, machinery or plant" and are "an integral part of the system" (IEE, 1998). The renowned Year 2000 evangelist, Peter de Jager, says of embedded systems, "Without doubt, this is the area of greatest risk ... they are the Achilles heel of Y2K" (1998). Embedded chips are nonprogrammable microcircuits hard-wired into other pieces of equipment, many of which include date calculations in their programming logic. The equipment in which the chips are embedded often is not under the control of the IS department but usually is the responsibility of the vendors that supply and maintain it for diverse operational units of the organization.
Giga Information Group of Cambridge, Massachusetts, categorizes embedded systems into four groups: individual microprocessors, small microprocessor assemblies with no timing functions, subassemblies with timing functions, and computer systems used in manufacturing or processing control. According to Giga, only the last two groups are likely to experience Y2K failures, ranging from annoying to aggravating, debilitating, and finally, life-threatening (Coffou, 1998). Embedded chip systems that should be tested for Year 2000 vulnerability include the following:
* Monitoring and control systems, including smart valves and sensors and environmental and safety equipment
* Fire alarm systems, including detection, sending, receiving, and suppression units
* Security systems, including sending and receiving units, video and surveillance systems, and badge readers
* Telecommunications equipment, including telephone switching equipment, call management systems, pagers, and cellular phones
* Medical devices and equipment, including monitoring systems; dialysis, chemotherapy, and radiation equipment; and laboratory, radiology, and other diagnostic systems
* Building infrastructure, including heating, ventilation, and air-conditioning (HVAC) equipment, energy management and lighting controls, emergency generators and lighting, uninterruptible power supplies, and elevators (Coffou, 1997a; Ackerman, 1997; Bailey, 1997).
Embedded systems pose unique Year 2000 risks. Most organizations lack the in-house technical expertise required to inventory, repair, and test these automated devices for Y2K vulnerability. In fact, most Y2K consultants have little or no expertise in this difficult area, and there may not be sufficient technical capacity in 1999 and 2000 to address the problem. It may be, as de Jager suggests, that "the only alternative we've left ourselves is to turn off what we're not sure of" (1998).
The other major problem with embedded chips is that they're everywhere, with literally hundreds of billions of them installed in all kinds of equipment around the globe. Even if, as most knowledgeable experts believe, only a very small percentage of such devices are vulnerable to century-date failures in equipment that could be considered vital, incapacitating and even catastrophic consequences could result. Consider the following examples.
TAVA Technologies, Inc. of Englewood, Colorado, which, by February 1998, had Y2K manufacturing plant floor experience at more than 400 sites, has reported that "the company has yet to find a single site that did not require some degree of remediation." Computerized factory floor systems store, transfer, output, and calculate dates in a wide variety of management and control systems, including maintenance databases, smart sensors, inventory management, programmable logic controllers, shipping documentation, and energy management. Out of the tens of thousands of manufacturing automation systems and components TAVA has tested for Year 2000 compliance, it has found "more than 20% to be either non-compliant or `suspect,' that is non-compliant under certain circumstances" (Hagewood, 1998).
ECRI, a nonprofit agency specializing in healthcare technology located in Plymouth Meeting, Pennsylvania, finds that, although most medical devices will not be affected by Y2K problems, "a small number of devices may fail or malfunction." ECRI identifies information systems, medical devices, and general hospital systems as "susceptible equipment," with problems ranging from billing errors, improper supply orders and device lockup, to erroneous patient data and invalid dosage rates. Failures of high-risk equipment used for "life support, resuscitation, or critical mo nitoring," such as anesthesia units, radiographic equipment, and ventilators, could directly harm the patient. In the case of "medium risk equipment," such as clinical laboratory equipment, ultrasound scanners, and cardiac output units, Y2K failures would not pose "immediate harm to patients," but "[m]ay have a significant impact on patient care" (Montagnolo, 1998).
Much of the concern about the stability of the nation's electric power grid relates directly to the extensive reliance of power-generating and transmission equipment on embedded systems. Rick Cowles states that "Within a typical electric utility, embedded-logic control is prevalent in every facet of Operation; from load dispatch and remote switchyard breaker control, to nuclear power plant safety systems and fossil fuel plant boiler control systems. Whole generating units (generally, gas turbines) are controlled from miles away by personnel remotely adjusting system loads in response to peak demands" (1998).
Exchanging Data Electronically
An increasing number of commercial transactions are now handled by direct electronic communication. These include the following:
* Electronic funds transfers (EFT)
* Electronic data interchange (EDI) systems that place, fill, invoice, and pay for orders for parts, supplies, and finished goods
* Medical and other insurance claims processing and payments
* Securities trading clearinghouses and regulatory compliance reporting
Several opportunities for Y2K breakdown exist. First, a basic prerequisite for electronic communication is that both systems must be able to talk to each other, that is, successfully send and receive information. Y2K can disrupt IT systems on either end of the wire, blocking electronic communication, and it can disable the communication linkage itself.
Second, even if both systems have achieved internal Year 2000 compliance, they still may not be able to communicate if they have renovated their systems using incompatible methodologies. For example, if one party converted its code using a fixed window and a trading partner used a sliding window, the century designation for the date data could become ambiguous after transmission.
Finally, electronic data exchange could contaminate compliant systems with erroneous data transmitted by noncompliant but functioning systems of their trading partners. For example, if system A generates data with financial information that is 100 years off and successfully sends that information to system B, the databases of system B could use that data to process transactions and perform calculations that contain unknown errors.
Due to the increasing importance of direct electronic transactions, Year 2000 remediation may require large-scale end-to-end testing across many links in a supply chain, such as retailers, EDI clearinghouses, value-added networks, distributors, wholesalers, shippers, suppliers, and assemblers. Substantial technical, logistical, financial, and managerial challenges abound, with corresponding business risk.
External Business Dependencies
Most business organizations, public and nonprofit agencies, and institutions understand that, no matter how well prepared they may be for the century date change themselves, they remain acutely vulnerable to Year 2000 problems if the many third parties with which they do business are not ready to process twenty-first century dates. Although awareness of this external dimension of Y2K increased dramatically in 1998, it remains a difficult problem to address and, hence, an intractable source of risk.
Supply Chain Compliance
The problem of evaluating Y2K risks in the supply chain is a stubborn one for many reasons. The number and diversity of outside dependencies may make efforts daunting. Companies are unable to control or even reliably assess external compliance efforts. Potential failure points that could trigger and result from Y2K chain reactions are unpredictable. All of these obstacles can prove insurmountable when trying to assess supply chain compliance and many initial efforts have proven ineffective. For example, a group of large retailers and manufacturers that rely on thousands of suppliers, including the big three automakers (acting through the Automotive Industry Action Group), were among the first to disseminate detailed vendor compliance questionnaires in an attempt to assess supply-chain Year 2000 preparations. The initial results proved unsatisfactory because of low response rates and unreliable data, and extensive follow-up efforts were required to produce satisfactory results.
Nevertheless, vendor surveys have proliferated widely, albeit with mixed results. Common mistakes include asking for too much detail, requiring compliance certifications and signatures that give rise to liability concerns, and adopting an antagonistic tone. In Chapter 5, "External Compliance Strategies," we'll share what we've learned about mitigating vendor risk and suggest an expedited strategy to follow in 1999.
There is a real risk that companies unprepared for Year 2000 will be unable to pay their bills or at least will experience significant disruptions. If so, businesses providing goods and services to such companies could take hits to their own cash flows and receivables. The concern is serious enough that the Federal Financial Institutions Examination Council (FFIEC) has required member banks, credit unions, and savings associations to implement customer due diligence plans to evaluate whether Y2K might prevent their material customers from repaying their loans on time (1998). As 2000 nears, all businessesnot just banksshould ask themselves if they are putting too many eggs in the wrong baskets.
Customer compliance problems have the potential to adversely affect an entire market segment. For example, in September 1998, a Massachusetts technology consultant and systems integrator saw its stock price drop 22 percent after the company announced that many of its customers were delaying new projects to focus on Y2K work (Reuters, 1998).
Every enterprise, whether public or private, needs electric power; telephone service; water and sewer service; police, fire, and ambulance service; public transportation; cargo ports; airports; and similar services and facilities. Providers of those services and operators of those facilities face the same Y2K risks discussed here.
In many cases, the useful life of aging infrastructure has been extended far beyond its original design by patches, workarounds, and other expedient contrivances, making Y2K assessment and remediation all the more difficult. Because most of us can't build our own electric generating station, sewage treatment plant, or international shipping terminal, serious Year 2000 events in essential infrastructure systems pose risks that would be extremely difficult to overcome. You cannot safely ignore infrastructure risks; to the contrary, every business should formulate contingency plans so it can operate without basic services for a short or extended period.
It would be wrong to assume that all countries are devoting equal effort to tackling Year 2000 problems. In fact, wide disparities in their compliance preparations exist among nations. According to the Gartner Group, which conducts a quarterly Y2K survey of 15,000 companies in 87 countries, the United States is farthest along in its preparations, followed by Holland, Belgium, Sweden, Canada, and Australia. By contrast, Gartner predicts that two-thirds of the companies in Russia, China, India, the Middle East (excluding Israel), Argentina, and Venezuela, as well as half of all companies in Japan, Germany, Mexico, and Malaysia, will have one major mission-critical Y2K failure (Weil, 1998). USA Today reported in April 1998 that only 8 percent of German companies had a formal compliance program, as compared to 80 percent of large U.S. companies (Lynch, 1998). Professor Richard L. Nolan believes that "probably more than 70 percent of Japan's CEOs are unaware of the potential of the Y2K problem to disrupt their business and are not providing any meaningful Y2K leadership" (1998). The Federal Reserve Bank has expressed serious concerns about the compliance efforts of many foreign banks, in no small part because many U.S. banks depend on international funds flows and foreign counterparties for funds deposits and processing major financial transactions.
Outside the United States, additional obstacles are complicating Year 2000 conversion efforts. Economies around the globe are currently struggling to recover from failing markets, and others are converting to a single European currency. Because European Monetary Unit (EMU) conversions and economic difficulties have largely preempted international Y2K preparations, U.S. companies are in danger from noncompliant overseas customers and suppliers. Unprepared international subsidiaries and affiliates of U.S. firms also pose financial risks to those companies that maintain consolidated balance sheets.
Meet the Author
STEVEN H. GOLDBERG is a litigation attorney and Y2K consultant in Boston (www.2000legal.com) and a nationally known speaker and writer on managing Year 2000 business and legal risks. He is cofounder of Dispute Resolution 2000 (www.dr2000.com) and a member of the Legal Advisory Board to the Rx2000 Solutions Institute. STEVEN C. DAVIS is a pioneer in the field of Y2K risk management, and local government and community planning. He maintains a public service Y2K Web site at www.davislogic.com/impact.htm, which also features planning templates from the book, and live links to the resources in the appendix. ANDREW M. PEGALIS, Esq., is the founder and President of Next Millennium Consulting, Inc., (www.consult2000.com), the nation's first independent Y2K risk management services firm. He is also a frequent speaker and writer on Y2K risk management and legal issues.
Most Helpful Customer Reviews
See all customer reviews