Management Summary

Few topics are creating as much interest, or are as widely misunderstood, as the rapidly approaching year 2000 date-change problem confronting the IT industry and, more importantly, the world economy. The United States is among several countries (e.g., Australia, Canada and the United Kingdom) leading the world with a fairly high level of awareness of, and preparation for, the year 2000 problem in governments and industries. A handful of other countries are only a few months back in terms of preparing and planning for the date change. However, many more countries have a lot of realization and catching up to do concerning the scope and severity of the year 2000 problem.

GartnerGroup has written extensively on the looming impact that the year 2000 problem will have on enterprises and economies, but much less so on the impact it will have on the individual level; this Strategic Analysis Report addresses that topic. Many of the strategies, models and advice that GartnerGroup has presented to enterprises and governments are equally applicable to individual use to expose and address the year 2000 problem. In this report, GartnerGroup also provides some unique advice for individuals that should lower their risk of being seriously affected and disrupted by the year 2000 problem.

GartnerGroup urges individuals to take a long-term view of the issues. Withdrawing funds from banks or liquidating investments is not warranted. For the most part, GartnerGroup assumes that most enterprises will address mission-critical systems so that 90 percent of the systems that do fail will be corrected within three days. Therefore, for most people, planning for year 2000 issues requires getting through January 2000. A "bomb shelter" mentality is not called for. Preparing for the new millennium should be much like preparing for a storm that will last less than a week.

GartnerGroup has included a list of risks for individuals due to the year 2000 problem, along with sample actions. Individuals may modify the list and use it for their personal year 2000 planning. A methodology for planning is also presented. For the most part, planning for 2000 requires common sense and the implementation of contingency plans in a timely manner. As "no man is an island," individuals should plan to help friends, neighbors and their communities create a comprehensive plan for assessing and planning for the risks associated with the "millennium bug."

The Bottom Line: Individuals should prepare for limited duration, localized failures of services and infrastructure rather than an apocalypse. The type and number of failures will vary geographically and cannot really be predicted. Individuals should ensure that they have at least two weeks' salary in cash and up to five days' contingency supplies of key consumable materials (e.g., medication, fuel and food) that they might need.

This Strategic Analysis Report represents the collective view of GartnerGroup as of October 1998. Special thanks to Nicki Brown, CEO of Wilton Bank in Wilton Connecticut, and a member of the American Bankers Association's Y2K committee. This report includes statements that may constitute forward-looking statements made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995. Although GartnerGroup believes the expectations contained in such forward-looking statements are reasonable, it can give no assurance that such expectations will prove to be correct. This information may involve risk and uncertainties that could cause actual results to differ materially from the forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to, factors detailed in this report.

CONTENTS

1.0 Introduction

2.0 The Final Scenario: A Global View

2.1 COMPARE Ratings

3.0 Personal Year 2000 Planning

3.1 Banking Issues

3.2 Stock Market Issues

4.0 Contingency Planning

4.1 Consumer Goods and Year 2000

4.2 Community Planning

5.0 Summary

FIGURES

Figure 1. Status by Industry - Worldwide

Figure 2. Status by Geographic Area - Worldwide

Figure 3. Year 2000 Compliance vs. Risk

Figure 4. Personal Year 2000 Risk Assessment - By Category

Figure 5. Personal Year 2000 Risk Assessment - Risks in Order of Criticality

1.0 Introduction

There are a number of myths, fallacies and irresponsible assertions circulating about the scope and impact of the year 2000 problem, accompanied by a significant volume of misguided and, in some cases, frankly bad advice. Unlike most GartnerGroup research, this Strategic Analysis Report is addressed to individuals, not to enterprises that must deal with specific technologies. Furthermore, the goal of this research is not to advise enterprises on the relative merits of one technology compared with another, but rather to assist individuals in coping with the possible - and likely - consequences of the year 2000 problem in their personal, business and social lives.

Although this report makes use of technology analysis to build its recommendations, it is not primarily focused on assessing the long-term strategic impact of a configuration of IT events. The goal is to assist individuals in rationally assessing and responding to the possibility of various failures in IT due to the year 2000 problem.

The year 2000 problem is analogous to a major storm. In this case it will be, at worst, similar to a hurricane, cyclone or bad snowstorm. One can predict its arrival and can thus prepare for it. For individuals, the year 2000 problem will not be a catastrophe such as a severe earthquake, a huge asteroid crashing into the earth, or a nuclear war.

Individuals should be aware that in 1999, year 2000 failures will begin and the number of failures will rise as enterprises and government agencies begin their new fiscal 2000 year. During 2000, failures will occur throughout the year. After 2000, some applications that are used only periodically will likely encounter problems because those applications were not tested adequately. Throughout 2000, 2001 and 2002, enterprises will install some noncompliant solutions, attempt to use noncompliant archived data, or receive noncompliant commercial software versions. This will cause some continued failures.

Many embedded systems will fail at midnight on 1 January 2000. However, most networks - IT as well as public telecommunications carriers - operate on Universal Coordinated Time. This means that if a network problem occurs (which could affect the Internet), it could manifest itself at 7:00 p.m. on 31 December 1999 on the East coast of the United States, not at midnight. Fortunately, 1 January 2000 happens on a Saturday, so enterprises have at least two days to work on the problems, which should result in minimal effects on individuals.

2.0 The Final Scenario: A Global View

It is important to know what scenarios are likely to understand what failures and plans may be considered common among enterprises and government agencies, and what risks exist. An understanding of potential failures around the globe helps to determine risk management and continuity budgets and plans, since it aids in determining common and best practices. To begin understanding the total risk of the year 2000 problem, GartnerGroup conducted a recent worldwide survey of enterprises and country government agencies. More than 15,000 enterprises in 87 countries were surveyed to capture information related to their year 2000 status, methods, strategies, plans and costs. Enterprises and government agencies were rated by size, industry and country. Examples of the survey results follow.

2.1 COMPARE Ratings

GartnerGroup has defined a scale called COMPARE (COMpliance Progress And REadiness) that enterprises can use to judge their own or their partners' efforts for year 2000 compliance. The COMPARE scale features the following levels:

GartnerGroup presents COMPARE level status by industry (see Figure 1) and by geographic area (see Figure 2). On each status bar showing COMPARE level status, on average, the 25 percent of the bar farthest to the right represents large enterprises, the 25 percent farthest to the left represents small enterprises, and the middle 50 percent represents midsize enterprises.

(Table:00073955001.gif)

Source: GartnerGroup

Figure 1. Status by Industry - Worldwide

In the United States, large enterprises (i.e., those with more than 20,000 employees) are between 20 percent and 40 percent complete with their year 2000 compliance efforts. In the United States, GartnerGroup's analysis yields a mission-critical failure probability of less than 15 percent (the same probability as for enterprises in "leading" industries, such as financial).

Strategic Planning Assumption: Through the end of the first quarter of 2000, between one third and one half of all enterprises will experience mission-critical business process interruptions due to the year 2000 problem (0.7 probability).

(Table:00073955002.gif)

Source: GartnerGroup

Figure 2. Status by Geographic Area - Worldwide

Midsize enterprises (i.e., those with 2,000 to 20,000 employees) are 10 percent to 20 percent complete and have a 0.6 probability of a mission-critical failure. Small enterprises (i.e., those with fewer than 2,000 employees) are 0 percent to 10 percent done and have a 0.8 probability of a mission-critical failure.

Throughout 1998 and 1999, fixing the year 2000 problem will be the highest priority for most IS organizations. Extreme pressure will be put on IT budgets and staff. Worldwide, central, federal, state and local governments are most at risk, as are many small and midsize enterprises. Projects often have the following characteristics:

Australia, Belgium, Canada, the Netherlands, Sweden and the United States are leaders. Asia, eastern Europe, India, Pakistan, Russia, southeastern Japan, most of South America and Latin America, most of the Middle East, and Central Africa all lag the United States by more than 12 months (see Figure 3).

(Table:00073955003.gif)

Source: GartnerGroup

Figure 3. Year 2000 Compliance vs. Risk

Although regions such as the Middle East and Russia are further behind than Germany and Japan, GartnerGroup expects the disruption to be greater in Germany and Japan because of their tight supply chains and their greater dependence on IT systems.

The United States will get through the problem with few significant system failures that cause major business interruptions. Business interruptions will be more prevalent in small to midsize enterprises. Local municipalities will experience some failures, but the majority of critical public infrastructure should remain intact. In other countries the result could be more severe.

The "Asian Financial Crisis" is a major inhibitor to solving the year 2000 problem. Many emerging economies with a high dependence on commodities (e.g., oil, grain and copper) or with serious problems in their banking systems are struggling to find the financial resources to fix their year 2000 problems. Therefore, the two problems are feeding each other in the long run. Individuals in those countries must be more careful in the assessments of personal risks. Enterprises with a high dependence on those countries for revenue will be affected economically.

Governments worldwide are generally behind commercial enterprises in addressing the year 2000 problem. Availability of imported goods may be affected if the central bank, customs, transportation authorities (e.g., air traffic control and port authority), or communications or power systems fail in the exporting or importing country. However, that situation should have only minor effects on individuals as long as goods produced domestically are available.

An exception to this is Mexico, where the President of Mexico is a leader in the country's efforts to minimize the risk of the year 2000 problem. All government agencies, the banking system and the securities sector have aggressive projects underway with stringent reporting requirements. The government also has a comprehensive outreach program for small and midsize enterprises to assist in awareness, planning and remediation of systems at risk due to the year 2000 problem. The scope includes Web pages, literature and the involvement of chambers of commerce and trade associations. Other countries with top government leadership involvement are Australia and the United Kingdom.

3.0 Personal Year 2000 Planning

To plan for personal business continuity and disaster recovery, it is necessary to plan for very specific failure scenarios. Disaster support and recovery plans can be developed to accommodate the duration of most failures. The key is that individuals will likely be capable of performing only very simple risk assessments and investigations to determine their risks and the likely risk factors and probability of failure for each category area. GartnerGroup provides a very basic personal inventory template (see Figure 4).

In many cases there is no effective way for a non-U.S. person to meaningfully assess the risk posed by such things as infrastructure and financial services. Few countries have as rigorous reporting requirements as the U.S. Securities and Exchange Commission (SEC), and individuals have no leverage on enterprises such as insurance and utility companies. Such enterprises generally do not provide specific responses to individuals. Consequently, all one can do is read what those enterprises publish and take a conservative position regarding risk in those areas.

(Table:00073955004.gif)

Source: GartnerGroup

(Table:00073955005.gif)

Figure 4. Personal Year 2000 Risk Assessment - By Category

Source: GartnerGroup

Figure 5. Personal Year 2000 Risk Assessment - Risks in Order of Criticality

Figure 5 is a sample sort of the risk items in order of criticality. The most critical factors for most people are clearly the availability of telephone service and electric power. The use of many services - e.g., automated teller machines, emergency services, use of credit cards, electronic funds transfer, stock transactions and airline reservations - are dependent on phone service. Each may internally have a low probability of failure, but they all depend on phone service and power availability.

Strategic Planning Assumption: Only 10 percent of mission-critical failures will last three days or more, and 70 percent will likely last less than 48 hours (0.8 probability).

GartnerGroup advises individuals to do the following:

- Grocer: Do you have a contingency plan in case your major suppliers have a delivery problem?

- Bank: What are your contingency plans for year 2000 problems?

- Home security system: Is the system year-2000-compliant?

3.1 Banking Issues

A few days before 31 December 1999, journalists could, for example, publish an article on the front pages of major newspapers essentially stating that the banking system of a country - or worse, that a specific bank - is not year-2000-complaint. That could cause a major withdrawal of deposits. GartnerGroup considers it plausible that - around December 1999 and January 2000 - several central banks might issue withdrawal restrictions or a partial "freezing" of some accounts, or some areas might have to endure a few days without banks being open. This scenario must be taken into consideration.

A big concern for most individuals is the availability of cash as a contingency that automated teller machines and credit cards will not work after 31 December 1999. On 10 August 1998, the U.S. Federal Reserve announced an increase in inventory reserves primarily because of the year 2000 risk. The U.S. Federal Reserve is taking prudent year 2000 contingency action to reduce risk during the rollover into the next century. It is increasing its monetary inventory reserves from $150 billion to $200 billion to cover:

Withdrawals made by the public are expected to be relatively small cash amounts whereby bank customers hope to cover critical expenses during a short millennium rollover period. Even though significant infrastructure and utility failures should be rare in the United States, the potential for some spotty regional problems may exist and must be considered. The Federal Reserve will increase reserves primarily to cover those risks.

In the 1999 fiscal year (ending 30 September 1999), $460 billion will be in circulation with $200 billion held in inventory - a more than comfortable safety margin. The Federal Reserve normally plans for peak spending and cash withdrawals during seasonal holidays and during natural disasters. The increased inventory is being planned now, since the 1999 cash print order for the period of October 1998 through September 1999 is placed during this time. More money will be printed in larger denominations, and there is a provision to keep older bills in circulation, if necessary. In countries other than the United States, greater problems may develop.

In the United States, the banking industry, regardless of the bank size, has had the same detailed extensive regulatory oversight of its year 2000 process. The Federal Deposit Insurance Corporation has the same requirements for all of its member banks. Individuals should be aware that the year 2000 date change will not affect their deposit insurance coverage.

Before 31 December 1999 and for some time after that date, governments and regulatory bodies around the world will be implementing safeguards to preserve market integrity. In countries in which the government was not always a wise regulator, that may be a serious concern.

The greater risk comes from standing orders and direct debits, as well as from the potential miscalculation of interest on loans and deposits. That may include direct automatic payments of a mortgage by a bank and escrow payments by a mortgage company. Individuals should keep detailed, up-to-date records of those transactions to reconcile issues should they arise. All bills and payments due that contain interest payments (e.g., credit card statements) or penalties based on late charges should be inspected and detailed records kept.

The Bottom Line: Most banks in developed countries will be prepared for 2000 in their mission-critical systems. Withdrawal of more than two weeks' pay in cash before January 2000 is not warranted.

3.2 Stock Market Issues

Most governments are aware of the year 2000-related risks to the securities markets. Regulatory bodies may take action such as not allowing stock price movements except on a thin "flotation" band, and on currency equivalencies.

This could also happen with pension funds (e.g., in Latin America or Asia, individuals may not be able - or it will likely not be advisable - to retire during that period). Governments may issue restrictive legislation in that direction. The U.S. SEC is issuing strong orders to companies listed on the stock exchanges to be forthright in their year 2000 readiness reporting, or else be subject to delisting before investors can be hurt. This is also happening in other countries, especially in Europe, to minimize investor risk. In addition, in the United States, significant fines have already been levied against brokerage companies with late or incomplete reports on their year 2000 compliance status.

Besides specific company or agency status, other items of importance to review are related to infrastructure, local economy, monetary values and exchange rates, ability to sustain customers in a given geographic area, or possible changes to government regulations or customs in a geographic area. By determining the industry and geographic coverage of the company, a high-level, rough assessment can be made to determine the risk of noncompliance, nondelivery or business interruptions. Individuals should ensure that their stock brokers are taking these factors into consideration when giving advice on specific stocks and other financial instruments. Bear in mind that investment broker companies will be highly optimistic about the year 2000 situation.

Payment of invoices may be delayed, which can disrupt the payment chain. This can result in more regulation that will affect business and banking laws, including the probable suspension of lawsuits or demands pertaining to lack of payment situations. Interest rates may also be regulated in this environment.

If basic financial business systems are functional, then decent records will be all that is necessary to resolve any minor errors. If those basic systems are not functional, it will do no good to posses a piece of paper, no matter how intricately printed it is. Individuals should carefully review all bills and statements received after 31 December 1999 for errors. Interest may be computed incorrectly, or payments based on usage (e.g., telephone) may be in error.

The Bottom Line: GartnerGroup does not advocate liquidating stocks, bonds, or other investments. However, investments should be monitored for compliance risk and alternate investments considered if status information regarding compliance is not specific or difficult to obtain.

4.0 Contingency Planning

Other line items in the personal inventory are not critical for most individuals, unless the problem persists for more than a week. GartnerGroup believes that less than 10 percent of the year 2000 compliance problems will last for more than three days, so the potential risk is low. Some items - such as taxes, mortgage payments or real estate sales - can be deferred due to the date change and should not be a major concern, especially if identified and brought to light before hand.

Due to the pervasiveness, extent and uniqueness of the year 2000 problem, there will be a large set of unknowns potentially well into the next century. Some systems may not manifest problems until 29 February 2000 (2000 is the first century-change leap year in 400 years) or even the end of that year; diagnosis and repair of contaminated data may take even longer to detect. Some individuals will be more adversely affected than others because of their geographic, political, social or economic environment. Individuals cannot afford to ignore the unknowns - individuals must face them, be aware of them and make plans to deal with them because of the huge number and types of systems involved.

It is important to budget money for dealing with contingencies and disaster recovery as part of an internal, self-funded insurance effort. As noted in Figure 4 and Figure 5, preparations for possible year 2000 problems should include the following:

While the likelihood of a complete collapse in utilities, telecommunications networks, transportation and distribution systems is very small, it should not be ignored. Local failures of some of those systems are more likely than others. Check insurance coverage for year 2000 exclusions. Not all insurers are the same. Some domestic insurance coverage has exclusion clauses, but some insurers have not yet excluded such risks. If a power outage occurs that disrupts the heating system and causes water pipes to freeze and break, resulting in water damage, will the insurer cover the repair costs?

E-mail and voice mail systems could be affected by the year 2000 problem. This may result in erasing all messages unread for "100 years" or passwords unchanged for "100 years." It would be wise to retrieve any messages not read or listened to by 30 December 1999. Internet messages should also be included.

The Bottom Line: Given this scenario, GartnerGroup recommends the monitoring of any travel plans for January 2000, and as 2000 draws nearer, alternatives should be considered if the level of concern worsens. Individuals planning to ship packages via air express should ship early if possible.

4.1 Consumer Goods and Year 2000

Strategic Planning Assumption: Through 2001, desktops, embedded systems and supply chain management remain the largest obstacles to year 2000 compliance (0.8 probability).

Problems with process systems are much more difficult to diagnose and correct, are generally further behind in year 2000 efforts than the IT systems, and tend to have significantly greater economic and public safety ramifications than those associated with IT systems. However, consumer goods will experience failure rates so low that they can be ignored except where they are involved in life-threatening medical activities.

Most personal devices that use dates are not critical and can be manually reset on 1 January 2000. Such devices include home PCs, VCRs, home theater systems, clocks, fax machines and answering machines. An exception to this is the Global Positioning System (GPS) of 24 satellites. The date function will roll over a 1,024 week count at 11:49 p.m. on 21 August 1999, and will result in a 1/5/80 date by GPS receivers. Individuals using GPS for their automobiles, boats or other personal use should check with the receiver manufacturer to determine if it will handle the problem or if updates are available. Most systems shipped after 1995 have been modified to eliminate this problem.

The Bottom Line: Few consumer devices are date-sensitive - most can be easily reset with little affect on individuals.

4.2 Community Planning

For coping with many of the short-term effects of many potential infrastructure failures, a community-based response makes economic sense. It is considerably simpler to heat a community center with emergency power or heat sources than to arrange the emergency heating of 100 individual properties. Local social groups - e.g., church groups, school boards and town councils - can provide a useful focus for the coordination and delivery of emergency services. Someone will have to do this anyway, since not everyone will be sufficiently aware of the need to prepare, or sufficiently economically empowered to be able to do so.

Most local governments have an emergency disaster response plan; the year 2000 date change should be included in the plan, much as a flood, snowstorm or other such event. The preparedness should focus on loss of power, water and phone service, which could fail because of the networked nature of those services. Many local power and phone companies are connected to a "grid" or service area, and a failure anywhere in the grid can affect local service. Local emergency services such as police, fire, ambulance and hospitals should have a cellular phone and private mobile radio backup to land-line telephone service. Local media should be involved in the plan to "get the word out" regarding status and recommended public actions. This helps minimize any potential panic if the community suffers a critical outage.

The social response does not invalidate much of the work required by individuals. Only individuals can decide things such as whether they need cash in hand, whether their insurance is adequate, whether travel plans are sustainable, or whether their driving license needs renewal.

The Bottom Line: People should not ask "How can I survive the century boundary?" They should ask "How can my neighborhood and I survive the century boundary?" People should volunteer to help the elderly or sick, and should also volunteer their services to their local, city or town governments.

5.0 Summary

Individuals in Australia, Canada, the Netherlands, Scandinavia, the United Kingdom and the United States will have some disruption, inconvenience and discontinuities during the first week of January 2000. The biggest risk is from failures and outages of telephone and power service, but the rest should be manageable. Countries in Asia, Latin America and emerging countries will have a potentially larger disruptions because businesses and governments in those areas are behind in fixing the mission-critical functions.

The largest enterprises - e.g., banks, retailers, distributors and manufacturers - in a country will generally be most prepared and have the lowest risk factors. The same is true for most large multinational enterprises. Most of those enterprises started to prepare early and have had the resources to fix at least their mission-critical systems. Failure of critical government systems continues to pose the greatest risk.

Individuals should make a contingency plan based on the risks for their country. Travel throughout the world in January 2000 should be deferred if possible. The progress in solving year 2000 problems by banks and investment companies should be monitored. GartnerGroup does not recommend liquidating assets or withdrawing all funds from banks.

The greatest risks to most individuals are:

- Small enterprises are further behind than midsize and large enterprises. Individuals should maintain awareness of the status of their employers' year 2000 compliance status.

- Participating in such actions will be of little benefit in the short or long run. Actual failures will be less than feared by most individuals.

- Be extra careful about scams and unqualified advice.

- Be aware that the broadcast news and business press may have a very pessimistic outlook because of information given by those with vested interests - e.g., year 2000 service and software vendors, private consultants and consulting companies.

Entire contents (C) 1998 by Gartner Group, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner Group disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner Group shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.