For Risk Managers, the Year 2000 is Now!

by Andrew M. Pegalis

Risk Managers must become fluent in information systems, and fast

There is a significant new risk all companies face, to varying degrees, which every risk manager must prepare. I am referring to the year 2000 problem, sometimes called the millennium bug. Failure to understand and prepare for it will assuredly cost risk managers their job, and more importantly cost companies in ways never imagined just a short while ago.

Since the first generation back in the late 1950's and early 1960's, computers have been programmed with a two digit date field to represent the year. For example, the current year is "96" according to nearly all mainframes, networks, and personal computers. This choice of design was made because of the high price and limited amount of memory in early computer architecture. When 12:00 am Jan. 1, 2000 arrives, most computers will roll over to "00" and will be treated as 1900 for arithmetic purposes.

An example of the problem: a mortgage company automatically sends out foreclosure notices to mortgagors who are 180 days overdue. Its computers are programmed to subtract the date due from today's date, and if the result is 180 days or more, it sends a form letter. Suppose further that the last payment by a mortgagor was on June 15, 1999. On Jan. 1, 2000, the computer will subtract "061599" from "010100" and arrive at a negative number. According to the computer, the delinquent mortgagor still has almost 100 years to make the next payment.

That is the problem, over-simplified. Imagine if your bill payment, invoice, claims processing, debt collection, or other systems fail. Your business will effectively be crippled for as long as it takes to repair or replace the affected system.

Compliance Projects: Expensive and Lengthy

Now for the bad news: getting your systems into year 2000 compliance is neither simple nor inexpensive. Estimates for the cost of compliance ranges between 75 cents to $2 per line of code. Sounds cheap until one realizes that an average company has millions of lines of code. The Gartner Group, a Stamford, Conn.-based information technology research, analysis and consulting firm, estimates a medium sized company with 8,000 computers, will have to pay between $3.7 - $4.2 million to prevent system failures. On a global level, estimates are upwards of $600 Billion, according to U.S. Sen. Daniel P. Moynihan, D-N.Y. Perhaps worse than the expense of getting into compliance is the time it takes to complete the process. The average company requires 12 to 18 months.

Is this really going to affect my business?

Here is a reasonably likely scenario: ABC Co. heavily relies on computerized systems, fails to heed the myriad of warnings about the year 2000 and neglects to take pre-emptive measures. The new millennium rolls around and ABC is unprepared. On Monday morning January 3, 2000, everyone at ABC comes into work to find their email non-functional, the computerized phone system shut off, the check drafting, invoice, purchasing, and other systems producing erroneous information or none at all. ABC is unable to take new orders for its product or schedule services; unable to pay its employees, vendors, consultants, or suppliers; unable to communicate with the outside world.

While ABC is frantically searching the yellow pages under computer repair, XYZ Co. is functioning without a hitch because it began to prepare back in December, 1996. XYZ's risk manager, IS personnel, board of directors and company officers all agreed on a prudent strategy and executed it with minimal disruption. The cost to XYZ was in milllions of dollars. The cost to ABC is far greater.

So what happens to ABC? At first it struggles to find a vendor who will only now begin to review its systems. After all, qualified vendors will be in short supply. In the interim, the company loses new accounts because it cannot take new orders, it loses its suppliers because it cannot pay them on time, it is unable to collect on accounts receivables, etc. At best it loses business to XYZ, and its stock value drops. At worst, bankruptcy. Much to XYZ's surprise, ABC isn't the only company to have chosen the "ostrich approach" to the year 2000. In fact XYZ, because it started in 1996 and was able to complete its compliance testing in time, is one of only a select few competitors be year-2000 compliant and fully functional. Low supply and high demand increases prices. XYZ will raise its prices to reflect lack of competition and customers' fears of unavailability. All of a sudden the cost of becoming compliant seems trivial compared to ABC's fate and the oligopolistic boom to XYZ.

What Should Risk Managers Do?

In order to survive this techno-apocalypse, risk managers must become educated in the basics of the Year 2000 problem and solutions. Many well-written background articles about the millennium bug are available. Most likely your information systems personnel have been clamoring about this for some time. Now it is time to listen to them and take stock through these actions:

Systems Audit - You must inventory your systems, both hardware and software, companywide. There are two main reasons to conduct such a survey. First, various manufacturers have issued press releases on their systems' ability to handle the date change and what correction methods it recommends.

Warning: be skeptical of broad manufacturer claims that its products are ready for the date change. Recently, several companies have publicly announced full confidence in their products, only to later retract those statements upon further testing.

One aspect of your compliance program might include partial or large-scale upgrades. For practical business reasons, risk managers should compare the cost of possible systems upgrades with the cost of compliance repair. This is the second purpose for a systems audit.

 

Systems Prioritization. Perhaps the most difficult aspect of a compliance program is systems prioritization because it requires ranking business functions. Several companies have experienced a logjam early in the conversion process because of internal squabbling about which systems should be corrected first. It is therefore essential that company officers understand what is involved and take a strong leadership role.

Vendor Selection. The actual conversion process is laborious and highly technical. Independent companies have emerged in recent years claiming expertise in analyzing systems, identifying lines of code, correcting each line, and testing the converted code to ensure it still performs the function it was intended to perform. All such companies can be called compliance vendors for simplicity sake.

Compliance vendors vary by geography, size, expertise and ownership. Few have extensive experience because of the severe lack of public awareness. Some large financial and computer companies now offer compliance services, some independent companies have gone public, but vendors most are small entrepreneurial endeavors.

It is no secret that the quality of a vendor is directly related to the quality of its personnel. Quite simply, vendors provide a service, first and foremost. The better the personnel, the better the service. The Information Technology Assn. Of America has begun a certification process which attempts to assure minimum standards of vendor competence. Note there is a serious shortage of qualified personnel. The risk is a vendor's potential inability to maintain staff as competitors attempt to lure them away with more lucrative offers. This compromises a vendor's ability to complete projects on time and on budget.

Vendor Contracts. After a company hears the presentations and selects its compliance vendor, it's time to negotiate the agreement. Unfortunately, because of the shortage of qualified vendor personnel you must demand unusually stringent guarantees. For this reason and because of the importance of the year 2000 problem on your company's survival, this is an area in which Gartner Group recommends expert legal advice. Of all the vendor's contracts, yours is the most important.

 

Consultants and purchasing agreements: Old and new

It's also important to review vendor contracts. While the systems audit, vendor negotiations and the education process are underway, existing software development contracts, purchase agreements, and systems maintenance agreements should be reviewed. It is important to know whether your company has contractual guarantees for its systems.

For the next three years, all technology-related contracts your company enters into should include sufficient guarantees of Year 2000 compliance so as to leave no ambiguity about who bears the risk of loss in the event of failure.

While I make no assurances as to the adequacy of protection and I cannot endorse boilerplate warranties, some sample contracts and warranties available online. For examples, see http://www.deweerd.org/year2000/compliance.html. In addition to discussions with counsel, accounting departments should be involved early in the process as well. The Federal Accounting Standards Board has proposed that Year 2000 costs be expensed, rather than capitalized or amortized. This is contrary to Generally Accepted Accounting Principals and could cause financial problems for small to medium-sized companies.

Are You Insured for Year 2000 Losses?

What happens if you fail to take preemptive measures, fail to implement a compliance program, or are abandoned by your compliance vendor mid-conversion? There might be partial coverage under existing insurance policies. Insurers have been relatively quiet about this issue. That's not surprising considering the dollars involved. Here is a thumbnail of the coverage issues:

Professional Liability. Clearly if you are a technology producer, designer, consultant, etc. you are at risk of being sued for errors and omissions. Here your professional liability insurance might cover the litigation and award. However, if your policy is written on a claims-made basis, you might find an exclusion inserted in your policy within the next few years. Be sure to consult with your insurance agent or broker.

 

Business Interruption. The coverage most directly applicable to the year 2000 problem is business interruption insurance. In general, business interruption coverage is an add-on to your property coverage for profits lost during recovery from a fortuitous loss. While a 40-year-old design flaw might not seem fortuitous, its particular effects to your systems could be. Consequential or contingent BI is a rider designed to protect you from losses caused by an insurable event to a third party. Typically these riders are written to cover only named perils, however all-risk coverage is currently available for a higher price, but might not be come Jan. 1, 2000.

 

Directors & Officers Liability Insurance. D&O coverage protects corporate decision makers from suits brought against them personally for negligent business decisions. Even if an entire industry neglects to take pre-emptive measures, directors and officers could still be held liable. As Justice Learned Hand eloquently stated in the 1932 T.J. Hooper opinion, "There are precautions so imperative that even their universal disregard will not excuse their omission." As evidence of negligence, shareholders will likely cite to reporting failures. Under the SEC's S-K regulations, directors must report exposures to the millennium bug and plans for compliance to the SEC.

Remotely Possible Exposures and CGL Coverage

Stories about world-wide system failures truly boggle the imagination. While these may seem like stretches, there are some possible public liability exposures you ought to think about such as time-lock vaults, security systems, elevators, computer-controlled sprinkler systems, computerized manufacturing equipment, etc. Here is where your CGL policy could be called into play. Historically, new areas of coverage, not previously contemplated are litigated by insurers, resulting in high legal fees for policyholders.

As we move closer to the turn of the millennium, year 2000 problems will become more and more evident. Throughout the history of insurance and risk management, new issues like asbestos, polychlorinated biphenyls in electric transformers arise from time to time, changing the focus of discussion, and becoming incorporated into the vernacular.

To that list, add the Year 2000 problem. It should be in a risk manager's daily discourse.

This article first appeared in Business Insurance, December 23/30, 1996

Andrew M. Pegalis, . is President of Next Millennium Consulting, Inc. He has given presentations on Risk Analysis and the Year 2000. Other publications include: Year 2000 Problem - Strategies and Solutions from the Fortune 100 (Leon A. Kappelman ed., 1997). He can be contacted at: pegalis@consult2000.com or Next Millennium Consulting, Inc. at (301) 986-8500.

Back to Main Menu