The Year 2000 Problem - The GartnerGroup

BACK | MAIN | GARTNER GROUP

7 October 1998
Special Report
Lou Marcoccio
Read the Related Press Release

Year 2000 Global State of Readiness and Risks to the General Business Community

Expert Testimony of Lou Marcoccio to the U.S. Senate Special Committee on the Year 2000 Technology Problem October 7th, 1998 Washington, D.C.

Introduction
GartnerGroup is a worldwide business and information technology advisory company, providing research and advice in more than 80 major focus areas of business and technology, including Year 2000. We research Year 2000 status, issues, and best strategies, and provide advice and methods to companies and governments throughout the world.

Major points in this testimony:

  1. Year 2000 worldwide compliance status
  2. Predicted failures and impact
  3. The impact of embedded chips
  4. When system failures will occur throughout the duration of this problem
  5. Risks to the United States and possible impact
  6. Accuracy of disclosures reported to the U.S. SEC
  7. Recommendations to the United States Senate

Method of Measurement of Compliance Status: COMPARE (COMpliance Progress And REadiness): GartnerGroup uses a methodology for determining the status of a company or government agency. It is used to rank and compare level of completion of compliance. It consists of five levels:

  1. Level 0 - Has not started any Year 2000 effort
  2. Level I - Starting, awareness, champion identified, begin business dependency inventory
  3. Level II - Conduct detailed inventory of all business dependencies
  4. Level III - Detailed project plans, resources in place, prioritize business dependencies, risk assessment, complete compliance of 20% critical items
  5. Level IV - Complete compliance efforts on remaining 80% of critical items
  6. Level V - Complete compliance of non-critical items and launch policies to guard against post year 2000 failures

Research Methods
This information is gathered from interviews and client inquiry meetings. GartnerGroup is prohibited from disclosing specific names of companies or government agencies that are providers of this information, due to agreements of disclosure, under which the information is provided. Research data is gathered using various research methods, e.g., client interviews, surveys, consortia groups, user companies, equipment manufacturers, consulting firms, and legal firms. The research covers 15,000 companies in 87 countries. An attempt was made to equally distribute the research across small (under 2,000 employees), medium (2,000 to 20,000 employees), and large (over 20,000 employees) companies in each country, and to equally distribute across 27 vertical industries. We analyze the research and produce predictions and analysis. This information is provided to clients in our written research and advice. Year 2000 status of companies and governments has been found to be quite different in each of three dimensions - size, industry, and country.

Research Results
23% of all companies and government agencies have not started any Year 2000 effort. 83% of these are small companies with fewer than 2000 employees.

Figure 1 : Percent of Companies With Year 2000 Projects, by Size - 1998

Why Companies & Government Agencies Began to Address This Problem

  1. A failure occurred affecting a mission critical business process
  2. Regulatory mandate and possible penalties
  3. Fear of internal litigation due to lack of due diligence
  4. Customer pressures
Since awareness and failure scenarios have reached many countries, many companies are now getting started because of fear of interruptions to their supply chain and pressure from customers.

Characteristics by Size

Figure 2 : Status of Companies and Government Agencies, by Size; Q31998

Large companies are farthest ahead. They began earlier, because failures occurred, they had more resources to deploy, and they had older systems critical to their continued business operation. They spend a larger percentage of NOR (net operating revenue) on IT (information technology) than small companies. Smaller companies have fewer resources and less resource flexibility. A large percentage of IT systems at large companies were built in-house. Small companies have purchased a much larger percentage of IT systems from vendors. Since a majority of business insurance carriers recently added Year 2000 exemptions to current active business interruption policies, companies will not be able to rely on their insurance coverage as they planned. Many large companies have cash reserves and internal insurance strategies to rely upon, whereas small companies have limited safety nets or parachutes.

As of Q3 1998, large companies have completed remediation of 20-80% of their internal systems, and 30-50% have started significant levels of testing. Mid-size companies have 0-30% remediated, and 20-40% have begun testing. Small companies have 0-5% remediated, 30% have begun testing, and they are heavily reliant upon vendors to fix their systems. Large companies are using their own internal resources and contracting only 2-7% to outside vendors. Mid-size companies are contracting 25% to vendors, while small companies are contracting 50% to vendors.

IT budgets were relatively flat from 1997 to 1998, however 30% of IT budgets will be spent on Year 2000 efforts in 1998. We estimate 44% of IT budgets will go to Year 2000 projects in 1999.

Small companies spend 50% of their Year 2000 spending on outside services, while large companies do most of the work themselves with already-existing internal resources.

From 1996 through Q1 1998, companies were using vendor form letters to determine supply chain risks. Many of these are not responded to, and of the ones received, the vast majority are unusable for compliance risk assessment. During Q1 and Q21998, more than 60% have changed to a strategy of requesting face-to-face or telephone (direct contact) vendor reviews. This should help in obtaining more accurate supply chain risk information; however, many are struggling with trying to get vendors to agree to this type of meeting. Therefore, getting vendors to disclose accurate information related to compliance of their products remains a challenging task.

Prior to 1998, 5% of companies had business participation or business ownership of compliance efforts in their company. During 1998, this grew to nearly 30%. We forecast that companies in which the IT organization "owns" the Year 2000 compliance projects for the corporation are 3-5 times more likely to have a serious mission critical system failure (0.8 probability).

The predominant focus of Year 2000 projects differ considerably, based upon the size of the company and country it is in. Large companies are now focused on contingency planning and assessing business dependency risks, while continuing to complete fixing of internal systems and beginning to test (see Figure 2). Mid-size companies are just beginning to address contingency planning, while attempting to assess supply chain risks and trying to leap-frog steps required to fix and text internal solutions (see Figure 2). Many small companies have still not started, but the ones who have, are focusing on vendor compliance and inventorying their business dependencies (see Figure 2).

In April 1997, 50% of companies, across all industries, had not started Year 2000 efforts. By November 1997, the number dropped to 30%. By October 1, 1998, 23% of companies throughout the world had not started. 83% of those are small companies. We predict that in January 2000, nearly 20% will still not be started, and they will mostly be small companies and companies in lagging countries (0.8 probability).

Predicted Failures by Size
GartnerGroup defines a "failure" as an interruption to a business operation, a business dependency which cannot be provided or delivered as required, or inaccuracy of data or customer transaction. "Mission critical" is defined as any business dependency which, if it were to fail, would cause any of the following:

  1. A shutdown of business, production, or product delivery operations
  2. Health hazard to individuals
  3. Considerable revenue loss
  4. A significant litigation expense or loss
  5. Significant loss of customers or revenue

30-50% of companies and government agencies worldwide will experience at least one mission critical system failure (includes all sizes, all industries, all countries) through Q1 2000. In the U.S., 15% of companies and government agencies will experience a mission critical system failure (also see section on country status for status of U.S. versus all other countries). 10% of failures will last 3 days or longer. The cost of recovering from a single failure after it occurs will range from US $20,000 - $3.5 million.

The number of companies predicted to experience at least one mission critical system failure (0.8 probability):

  • 50-60% of small companies and government agencies
  • 40-50% of mid-size companies and government agencies
  • 10-20% of large companies

Characteristics by Industry Sector
The second dimension used to gather Year 2000 status information is by industry. We monitor 27 industries, and find there are distinct issues unique to each industry. Very few of the industries are regulated. The industries have been placed into four risk categories.

Category 1
Insurance, Investment Services, Banking, Pharmaceuticals, Computer Manufacturing		15 % of companies in these industries will experience at least one mission critical system failure
Category 2
Heavy Equipment, Aerospace, Medical Equipment, Software, Semiconductor, Telecom, Retail, Discrete Manufacturing, Publishing, Biotechnology, Consulting		33 % of companies in these industries will experience at least one mission critical system failure
Category 3
Chemical Processing, Transportation, Power, Natural Gas, Water, Oil, Law Practices, Medical Practices, Construction, Transportation, Pulp & Paper, Ocean Shipping, Hospitality, Broadcast News, Television, Law Enforcement		50 % of companies in these industries will experience at least one mission critical system failure
Category 4
Education, Healthcare, Government Agencies, Farming & Agriculture, Food Processing, City & Town Municipal Services		66 % of companies in these industries will experience at least one mission critical system failure

Figure 3 : Research Industries and Failure Predictions

Insurance, investment services, and banking lead all other industries. Banking has a unique status, since small banks are lagging and large banks in the United States are ahead of many other industries. The insurance industry began having failures more than 10 years ago, and due to the critical impact their IT systems have on their business operations, they began their compliance efforts early. Banks in the U.S. began having failure problems nearly 30 years ago, but were not driven to begin compliance efforts until they were driven by regulation.

Infrastructure utilities and emergency services are critical for sustaining business operations and well-being. In the U.S., we predict that general infrastructure, power, non-wireless telephones, and critical services will continue mostly uninterrupted, with potential for relatively minor problems and some inconveniences. Natural gas utilities are lagging the utility industries. Healthcare lags in areas of medical practices, hospitals and elderly care. Public, private, and higher education also lag far behind. Many world governments are also far behind. The U.S. and Canadian governments are more than 40% ahead of any other government in the world, but lag large, private industry in the U.S. State governments differ widely in status. Most U.S. states have Year 2000 projects. 50% have reached the start of level III, and nearly all are being managed and driven from within IT. 65% of U.S. cities and towns do not have Year 2000 projects. Many mid-size and smaller cities and towns are lagging far behind or have not started. An industry highly overlooked is agriculture (farming, food processing, transportation/distribution, and import and export of foods and food bi-products). Several agriculture sub-industries are lagging far behind. Governments range from COMPARE level 0 to level III, with the majority in level 0-II. (see Figure 3).

Figure 4 : Status of Year 2000 Compliance - Industry View

Figure 5 : Status of Year 2000 Compliance - U.S. Industry View

Characteristics by Country
The largest impact this problem with have on the world is related to the global economy. Countries already plagued with financial woes, sharp increases in inflation, limited monetary reserves, and high unemployment are some of the same countries farthest behind with Year 2000 compliance. Figure 6 shows countries grouped according to level of risk and the predicted percentage of companies to experience failures. One white dot indicates that 15% of companies will have at least one mission critical system failure. One solid dot indicates that 33% of companies will experience such a failure. Two solid dots indicate that 50% will experience such a failure, and three solid dots indicate that 66% will experience the same. Infrastructure risks within a given country are shown separately in Figure 7. There are several key non-Year 2000 interdependencies considered when determining risks within a specific country, e.g., rate of inflation, shortage of food or key resources, current government out of favor with majority of people, risk of unrest, infrastructure failure risks, ability to import/export key goods or resources, likely dependencies on other countries for aid, and monetary reserves and world value of their currency. A number of countries already afflicted with several of these problems are considerably lagging in Year 2000 efforts, and will likely see even greater negative impact as a result.

Figure 6 : Research Countries and Failure Prediction

In our country status and predicted failure rates within countries (Figure 6), the estimates include all companies and government agencies together. Venezuela started awareness efforts months ago, but a large number of companies and government agencies have not yet begun compliance efforts. The new government leader may affect the rate of progress. In Argentina, companies are finding it somewhat difficult to get funding for Year 2000 projects and consulting firms needed to supplement smaller companies are limited in number. Except for Israel, Middle Eastern countries are just beginning, and are lagging. In Russia, larger companies in just a few large cities are working on the problem, but companies throughout the country outside those cities are lagging far behind. Municipal services, healthcare, and other Russian industries are far behind. In Pakistan and India, only larger companies have begun efforts. In Mexico, the banking industry is aided by a regulatory process that succeeds in getting relatively accurate disclosures made. This helped to get the banking industry moving more quickly than other industries. Two years ago, companies in Japan did not believe they had a problem with Year 2000, but now many are trying address compliance.

Figure 7 : Sample of Countries Showing COMPARE Level

The chart in Figure 8 shows the risk and probability of failure of basic infrastructure by countries. It shows a ranking of 1 through 10 that describes how widespread and severe infrastructure and service interruptions are likely to be for each group of countries (grouped in Figure 6). Each failure effect is ranked in each country category according to how widespread the impact will be realized, and the level of severity expected. The chart takes into account today's (as of Q3 1998) status and risks, interdependencies, levels expected to be reached by 2000, and likely failure results. Since some companies and governments will slow down or speed up their compliance efforts prior to 2000, and more and better status information is made available, this information will be updated periodically.

Figure 8 : Distribution & Severity of Infrastructure Service Interruptions
Note: countries included in the each of the four categories shown in Figure 8 are defined in Figure 6

Failure Scenarios and Predictions
Each company and government agency is ranked according to its current status, its probability of gaining compliance, and the impact of technical systems on its typical business operations. After following failures and tracking status related to probabilities of failure, we show the relationship of status to predicted mission critical failure in Figure 9 (below). We now know that it takes approximately 30 months for a mid-size company to complete level IV and gain compliance of their mission critical dependencies.

Figure 9 : Risk versus Compliance Status - October 1998

Using the chart in Figure 9, you can estimate high-level risk and probability of at least one mission critical system failure occurring within any company in an industry or government. This is done by using the current COMPARE status level and assuming it takes an average of 30 months for a midsize company to complete compliance of mission critical business dependencies.

Public Panic and Social Order
The economic and sociopolitical results from Year 2000 failures can include panic, unrest, increased crime, food and infrastructure interruptions, and health and safety issues. Social order may be affected when basic needs are disrupted. These affects are controlled by ensuring that basic needs will continue to be met and proactively reducing fear and disorder. Social disorder will be at risk in several countries and regions of the world, contributed to by Year 2000 failures.

CORE
To assess operational risk, to determine where contingency plans are necessary, and to develop contingency strategies, GartnerGroup uses a methodology called CORE (COMPARE Operational Risk Evaluation). It is used to determine risks related to supply chain, interdependencies, customers, investors, embedded systems, and IT systems. We recommend companies and agencies use CORE to determine operational risks and risks related to global dependencies.

CORE includes five steps or phases:

  1. Perform High Level Risk Assessment
  2. Inventory Business Dependencies
  3. Categorize Business Dependencies by Impact to the Business
  4. Perform Detailed Risk Assessment and Ranking
  5. Design and Implement Contingencies & Disaster Recovery
Use CORE to assess risks related to countries, infrastructures, industries, supply chain, or any business dependency.

Estimated Cost of Year 2000
We estimate the total cost of Year 2000 to be:

  • Worldwide IT Cost: US $300 billion to $600 billion
  • U.S. IT Cost: US $150 billion to $225 billion
  • US $1-2 trillion: total worldwide cost

When Failures will Occur
System failures due to Year 2000 have been occurring for some time. They will increase in 1999, reach their highest volumes during 2000, and drop off during 2001. Few will continue past 2003. Contributing factors (all are 0.8 probability):
Software

  1. 83% of commercial software is not yet certified compliant - 11% in April, 2002
  2. 4% of follow-on versions of commercial software will not be compliant
  3. 70% of custom solutions developed by a vendor more than seven years ago will not be supported by that vendor
Data
  1. 70% of archived data will not be remediated, but attempts will be made to use this data in remediated systems
  2. Non-compliant data will be passed to/from companies
  3. Some data centers will be shut down during rollover to reduce risk of failures
Systems
  1. Many IT systems will run non-compliant transactions during 1999, 2000, and 2001, since many are periodic transactions
  2. Some IT systems use applications that were frozen during 1999, but will be used again some time after 2000

Embedded Systems
Embedded systems will have limited effect on Year 2000 problems, and we will see a minimal number of failures from these devices. Only 1 in 100,000 free-standing microcontroller chips are likely to fail due to Year 2000. A small percentage of real-time clock-driven chips are affected, but these failures will be a small percentage of the non-embedded system failures. The key issues concerning embedded chip failures are 1) very few will fail, and 2) of those that fail, the majority will fail right at the millennium, and the majority of these will only fail once - if they are active when the clock ticks over. Embedded chips used for key infrastructure processes, life support systems, and other critical processes should be checked and verified by the manufacturer of the equipment, due to the potential severity and potential result of such a failure.

Number of Companies & Government Agencies Expected to Gain Compliance
In October, 1998, 15% of all companies claim to have achieved level IV compliance of mission critical systems. We predict that 50% will achieve this goal by 2000 (0.8 probability). The majority of large companies in Category 1 countries will complete at least 80% of level IV by 2000 (0.8 probability).

Figure 10 : Predictions and When Failures Will Occur

Possible Risks to the United States
Actions and proactive programs will be needed to keep these risks minimized, and keep them from materializing as described (see Recommendations).
Domestic:

  1. Interruptions due to failures in interdependencies and interconnections between companies and countries produce significant negative impact for U.S. businesses and government operations
  2. IT systems in critical industries will not be fixed in time
  3. Global impact from Year 2000 is not adequately planned for and Year 2000 fuels global recession much more than anticipated
  4. U.S. foreign investments encounter disastrous results and significantly impact the U.S. investment market
  5. Too many people lose confidence in the banking sector
  6. Too many interruptions occur in food or medical supply chain
  7. Local city and town governments cannot provide critical services
  8. Foreign loans, pacts, and trade agreements are adversely affected
Foreign:
  1. Public panic or loss of confidence in the banking sector in high risk countries
  2. Global economy impacted by foreign business and government interruptions
  3. Foreign loans, pacts, and trade agreements are adversely affected
  4. Aid or bail-outs are needed for highest-risk countries
  5. Foreign business interruptions impact too many U.S. companies
  6. Foreign security issues ignited by unrest or severe economic issues
  7. Key foreign government agencies experience significant failures

Recommended Actions for the U.S. Senate

  1. The United States has no body or group tasked with full time monitoring and analysis of global risks the Year 2000 problem is likely to pose to the United States. Even if advisory or consulting companies were to provide this information to the U.S. Senate or other bodies, a full time effort is needed to coordinate global risk assessments of U.S. and foreign governments and other risk threats from other countries on a regular basis - and, even more importantly, to take subsequent emergency action and launch pre-failure contingency plans to reduce risk and ward off possible serious effects. There also needs to be a focal point for providing risk information and warnings to the American public.
    Recommendation: Identify one current federal agency (as a Global Risk Management Agency) to manage and coordinate global impact of the year 2000 problem on the United States. Economic, financial, monetary, military, political, and other resources will need to be analyzed regularly, and quickly-developed strategies and contingencies will need to be launched across agencies, political governing bodies and foreign governments. This agency should report to the Executive Office, and have immediate access to the President's Cabinet in matters of foreign policy, aid, funding, and national security. It should provide press releases, information, guidelines, and warnings to the American public with regard to industries, infrastructure, government, and personal risks throughout 2001.
  2. Many Federal programs are administered locally, and many local governments lag in Year 2000 readiness. Therefore, interfaces between levels of government are at risk. These include interfaces and transactions that occur between local, state, and Federal Government Agencies. Local cities and towns are lagging far behind and need expertise, information, awareness, and aid, to combat the Year 2000 problem.
    Recommendation: Launch U.S.-wide program to coordinate efforts with State and local governments and provide special local city and town government aid and information. This effort should be guided by the Global Risk Management Agency (described in number 1 (above).
  3. Our experiences shows that U.S. companies are not providing accurate disclosures related to Year 2000 risks and contingencies. There are considerable differences between the status of Year 2000 compliance and critical risks that companies disclose to the SEC, and what the actual status and risks are within that company. This increases the risk of public investments being made without full understanding of Year 2000 risks.
    Recommendation: Pass legislation or require the U.S. SEC to implement random audits as part of the Year 2000 disclosure and reporting requirements for publicly held companies in the U.S. We suggest a sample of audits be conducted by an outside audit agency to confirm these findings, and then change the SEC policy to include sample audits as part of the routine process of Year 2000 disclosure, if substantiated with the sample audits.
  4. U.S. Senate and U.S. federal government Year 2000 plans and contingency plans seem to assume that most failures will occur when we hit January 1st, 2000. As described in this testimony, failures will occur heavily from 1999 through 2001, and not over one single day or week.
    Recommendation: Set correct expectations in U.S. government agencies, with U.S. government contingency plans, and with foreign governments that the failure window will be a three-plus-year period. Ensure that the SEC disclosure period and other Year 2000 regulatory government efforts are planned to last during the entire period needed.
  5. Many lagging companies and government agencies in the U.S. are being asked to implement new regulations, rules, reports, and processes in their IT systems and data to support new federal requirements or legislation continually being passed by Congress (pertaining to a specific industry or segment, e.g. healthcare, education, telecommunications, etc.). This is a major contributor to lack of progress in these companies. Most best-in-class companies farthest ahead in gaining compliance have frozen or significantly reduced enhancements to current IT systems. This has allowed them to focus on fixing the systems and other business dependencies.
    Recommendation: Question all new legislation to determine if it may require IT modifications ( i.e., software, hardware, data, or automated reports) in federal, state, or local government agencies, or in private companies. Cease and desist from passing or enacting any legislation that may affect IT systems or change reporting data. Such bills should be put on hold for an extended period, to allow companies and agencies to be successful in their compliance efforts. This will reduce the risk of non-completion of compliance for healthcare, education, and federal, state, and local government by 30-50%.
  6. The U.S. Government efforts appear to be focused in two areas: 1) IT systems within federal agencies and 2) launching legislation to help support compliance within critical industries. It is now clearly evident that segments of companies and governments throughout the world will not be fully prepared to deal with this problem by 2000. Significant global impact will be realized without immediate action to avoid moderate or worst case results.
    Recommendation: We suggest adding a 3rd area of effort - managing global dependencies and risks. It's critical to launch substantial contingency efforts in order to reduce global dependency risks prior to Q3 1999. These efforts may be conducted by the Global Risk Management Agency (described above). We suggest this new and additional focus be defined as a major component of U.S. national compliance efforts, and directly linked to the U.S. federal agency efforts, the Executive Office of the federal government, and the U.S. Special Committee on Year 2000.

Summary A great deal of progress has been made during the past year in the U.S. and in several parts of world. IT organizations in the U.S. have increased their spending for Year 2000 projects an average of 6 times over what was spent during 1997. Year 2000 is now prioritized at the top, or number 2 (following Enterprise Resource Planning system projects - to replace Legacy systems) by most U.S. companies. Large companies in the U.S. have made the most significant progress, and many of them will complete most of their compliance efforts by 2000. Even smaller companies in the U.S. have made significant progress in the past year, in several industries.

Even with all of this progress, there are still very serious risks for the U.S. and throughout the world. The gap is widening even more, between companies and governments farthest ahead and the ones farthest behind, since the laggards are moving much more slowly toward compliance. In the U.S., industry segments such as healthcare, education, agriculture, construction, food processing, governments, and companies under 500 employees are lagging way behind in compliance efforts. Many of these will simply not finish critical systems by 2000.

U.S. investors are provided very optimistic , often inaccurate, disclosures from publicly traded companies (to the U.S. SEC), and therefore accurate investment risk assessment data is not often available. This is likely to affect our U.S. market and several other economic factors as we get closer to 2000.

Interdependencies and interconnectivity between companies and across country borders are also extremely high in significance related to Year 2000 risks. Many of these interdependencies are not being covered by either company, and many times these interconnections and data transfers cannot be easily tested. These are of critical importance in banking, government, healthcare, and for many global manufacturers.

Even if we were to miraculously fix every one of these domestic issues and make certain all U.S. companies and government agencies will get themselves Year 2000 compliant before 2000, the absolute largest risk to the U.S. and to U.S. citizens is the impact from companies and governments outside the U.S. Far too many companies and governments critical to our continued strong economy, and providers of key resources, are more than 30 months behind private industry in the U.S. Since it takes an average of 30 months for a midsize company to achieve compliance of their most critical systems, many of these lagging foreign companies and governments will simply not have enough time to get their systems fixed before 2000. Failures will lead to a negative impact on our economy and availability of critical resources. We'll see significant impact from failures in these regions, including economic, sociopolitical, investment shifts, market changes, critical resources, national security, and defaults on federal loans. The only way now to combat this enormous issue, is for the U.S. Government to launch significant foreign contingency strategies in order to reduce or negate high risk dependencies on these industries and countries before we begin to feel these ill-effects. Since failures will increase in numbers throughout 1999, increase in volume throughout 2000, and continue at reduced levels throughout 2001, the time to act on this is now.

Back to Top



GartnerGroup Corporate Headquarters, 56 Top Gallant Road, Stamford, Connecticut 06904 USA +1-203-316-1111
Entire contents Copyright © 1997, 1998 by Gartner Group, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. Please read the guidelines for customer use of GartnerGroup intellectual property.

| GartnerGroup Home Page | My Home Page | Search |
| Site Map | Help | Feedback | Client Services | Log Off | IT Journal |