Senate Banking, Housing and Urban Affairs Committee

Field Hearing
The Implications of the Year 2000 Computer Problem

Mr. Chairman, thank you for inviting us to participate in this important public forum today. My name is Vincent Mullineaux. I am President and Chief Executive Officer of Millennia III, a professional services firm based in Westport, Connecticut. We founded Millennia III in 1996 specifically to address the business and technical aspects of the Year 2000 problem. Our practice is focused intensely on helping organizations cope with the many difficulties that confront them because of the Year 2000 problem. Among our customers are major Fortune 500 manufacturing companies, health care institutions, financial services firms, and transportation companies. We also have offices and customers in the United Kingdom. We have been focused on the Year 2000 problem for almost two years and already have more than 160 staff members and we anticipate revenues of more than $60 million in this fiscal year.

With me is Fred DelGaudio, Millennia III's Senior Vice President with responsibility for delivery of our Year 2000 services. At the request of your office, Mr. Chairman, we have with us a brief video presentation highlighting some of the more common problems that will manifest themselves with the Year 2000.

Before we simulate these problems for you, I would like to briefly describe the Year 2000 problem and why we believe the nation - indeed the world needs to address this problem in a far more serious and methodical way.

First the problem. As most people know, it arises because in the early days of computer programming - four, three, even one decade ago - programmers could conserve precious, and expensive, computer memory and storage by using two-digit rather than four-digit year fields. Consequently, after the beginning of the Year 2000, these programs will not compute correctly, creating potentially chaotic situations that we are addressing in this forum

today. Apparently, not much thought was given to what would happen when we reached the Year 2000 and what little thought there was turned out to be wishful thinking - that a simple solution would emerge.

Well, those dates, those programs, those applications afflicted by the so-called Millennium Bug today are lurking in virtually every business, organization, government agency, utility, transport carrier, even mundane household appliances. And the solution is really quite simple - either replace them or fix them.

The cost of fixing computer hardware and software to deal with the Year 2000 is significant, and will increase as demand for resources outstrips supply. The alternative - to replace the systems - is also costly. Both alternatives are time and labor intensive. For many organizations, if I may use an analogy, fixing the Year 2000 problem is akin to taking apart the Space Shuttle, piece by piece, finding and fixing an unknown number of problems, then reassembling the vehicle, TESTING and RETESTING it, and hoping it will fly.

When you add the business and legal liabilities to the cost of replacements, upgrades or hardware and software conversion projects, we find a total cost of $1 trillion worldwide to be very plausible. In our view this is the single largest business-economic problem this nation has faced since the savings and loan crisis of the 1980s and the energy crisis of the 1970s.

Today, Mr. Chairman, only 682 days remain until January 1, 2000. Repeated surveys over the past two years have shown that the leaders of most organizations in the United States are aware of the implications of the Year 2000 computer problem, but only a minority has taken serious action to alleviate the potential problems. A very recent poll by CIO magazine showed 70 percent of 400 chief information officers polled are not confident that their organizations will successfully tackle the millennium bug by the end of 1999. Studies also show the United States is far ahead of the rest of the world in solving the Year 2000 problems. This is February 1998, and now, I'm afraid, there simply is not enough time remaining to alleviate all of the problems. So, I believe our best hope is to alleviate the most critical problems and plan to cope with the rest.

Mr. Chairman, President Clinton has very recently appointed a Year 2000 council to focus attention on the problem, a very timely initiative. You have seen news reports of major Year 2000 problems at the Federal Aviation Administration. The President of the New York Federal Reserve Bank, Mr. William McDonough, has warned of systemic risk to the financial markets from the Year 2000 problem.

The noted economist Dr. Edward Yardeni is forecasting a. high probability of a global recession because of disruption in information flows as a result of the Year 2000 problem. And the Securities and Exchange Commission has been urging publicly held companies to disclose potential Year 2000 liabilities and costs to shareholders. Indeed, this committee has sent legislation to the Senate floor requiring this disclosure (S 1518).

Despite these warnings, there seems to be a general inertia, a sense of complacency and a great deal of skepticism about the Year 2000 problem, even in the news media. Mention the Year 2000 problem and a frequent response you hear is 'Bill Gates will come up with a solution." Certainly, we are not here to generate hysteria, but the problems are real and there is no hope for a magic solution.

Mr. Chairman, you asked us to appear here today to show some visual examples of problems associated with the Year 2000 problem, which we are happy to do.

Our first example is really quite simple and involves what will happen to millions of personal computers that are switched off on December 31, 1999, and turned on again after midnight.

In this example we reset the computer date to Dec. 31, 1999, and the time to just before midnight. Now well request the date again and it will display that it is January 1, 2000, appearing to have successfully rolled over to the new year. Now we turn the computer off and on again. This time, when we query for the date, it shows January 4, 1980. This is the default date for this personal computer. A huge number of personal computers still in use today will encounter this same problem, unless fixed. Others will default to 1900.

Now, what this does not show is how many applications on that personal computer depend on the computer's clock/calendar function. Databases, inventory controls, billing and receivables, financial spreadsheets, scheduling programs... the list is pretty long. Then - setting aside for now all the personal computers in American homes - begin to take into account how many personal computers there are in the offices of corporate America, in the government, in the military. Many, many organizations do not even know how many personal computers they have, and even fewer have accurate knowledge of all the applications on all of those PCs. How will organizations deal with these computers? That is a key question.

Now, take the Year 2000 problem up another step in complexity. As we well know, personal computers make up only one part of the information systems in most organizations. In many businesses, the PCs are networked. Other applications are run on mainframes, or mid-range computer systems. These systems power assembly lines, telecommunications, payrolls, inventories, supplies, most of the components of our economy. Many of these computers were first programmed decades ago. In the intervening years, more and more applications were added, based upon the original computer programs - what we in the business call 'legacy" programs. Many of these legacy programs are undocumented, or the original "source code" was lost over the years. Virtually all of these programs are riddled with two-digit calendar codes. We're also finding that recently produced hardware and software - even produced within the last year - was developed with two-digit date fields. And the only way to fix them is to identify all of the affected code and fix it, line-by-line. Then they must be tested and re-tested.

The next example illustrates a simple profit and loss analysis and forecasting program that could be used in any business today. The spreadsheet package itself may in fact be Year 2000 compliant. But, as you can see, the spreadsheet program was built using two-digit instead of four digit year dates. Note the data accurately reflects the historical sales and expense data from 1990 through 1998. Beginning in 1999, the program forecasts sales, expense and profit data - this is in the green shaded area. The forecasted numbers are correct in 1999. But the numbers appear illogical for the year 2000 and beyond. That's because the computer, in using two digits for date calculations, now produces erroneous results, and the projections become useless. The situation can be seen graphically in the 'Sales Analysis" chart.

This program can easily be fixed by properly using four-digit year fields. But there are millions upon millions of simple and much more complex and sophisticated programs that have been created over the past two decades on personal computers using two-digit date fields. How many of these are critical to the functions of an organization? Asked another way: how many organizations can afford to wait until these programs fail and disrupt their business functions?

Our final example demonstrates what the Year 2000 bug can do within a health care organization. Here is a patient database program used to track information related to medication and treatment results. To simulate this, we assume it is now the Year 2000. To show how the data would look if this were correctly programmed, we input a birth date for Susan Smith of January 10, 1898 - making this patient 102 years old. If we go to generate a report of all of our patient records to indicate a profile of all of our patients grouped by age, Susan Smith is a "geriatric."

Now, let's go back and show an incorrect calculation using a two-digit year 98. Susan Smith now is two years old, and is grouped, quite logically, in pediatrics.

This kind of error, which can occur in many programs throughout the health care industry -just as in other industries - can impact the inventory controls, dispensing of medications, medical research, and other essential services.

Mr. Chairman, in addition to the problems lurking in computer hardware and software, there is also the problem we refer to as the 'embedded chip" problem. Millions of appliances, conveyances - elevators as an example machines and utilities - such as pipelines or electric transmission components - have been manufactured over the past several decades using microchips programmed with two-digit datefields. Embedded chips are used in sophisticated medical devices and military weaponry, as well as automatic coffee makers and other everyday products. Many of these devices or systems will fail in the Year 2000 if the problem components are not replaced or fixed.

I hope these examples have been useful in illustrating the seriousness of the problem. These examples seem rather simple, but when multiplied by the millions of computers, software applications, customized business programs, and potential 'embedded chip" failures, you can visualize the enormous potential of the Year 2000 problem. But again, I want to be clear that there is cause for concern and action, but not for panic.

As we tell our customers, the Year 2000 problem is a business problem, not just a computer problem. To many business leaders, information technology is an arcane area. But you don't need to know how a computer works to realize the implications of the problem, just as you don't have to be a mechanic to realize what's going to happen when your car's engine blows a gasket.

The chart before you illustrates the step-by-step methodology we generally employ in our Year 2000 conversion projects:

1. Gather Inventory: In this initial phase we collect the entire computer hardware and software assets of an organization. We also begin to assess risks in the chain of suppliers and vendors whose own Year 2000 issues may impact our client. And we urge our clients to investigate the "embedded chip" issues that may affect their operations. This initial phase could take four to eight weeks, more depending on the size and complexity of an organization.
   
   
2. Analysis and Assessment: In this phase we analyze the gathered inventory and determine which components have Year 2000 related issues, as well as which components have a probability of failure. This phase may take two to four weeks in a typical case.
   
   
3. Prioritization: Following our assessment of an organization's vulnerabilities, we sit down with senior management and determine which areas of the information systems are most critical, and hence will be fixed first. As time begins to run out for many companies, this phase is increasingly becoming a "triage" exercise. This phase can be accomplished in one or two meetings.
   
   
4. Strategy for Compliance: After the priorities are set, we develop a strategy, or blueprint, for solving our client's Year 2000 problems. The strategy generally involves what we call the four "R's": Re-engineer and/or Replace systems, hardware or software; Retire systems or components if near the end of their useful lives; and Repair software problems, which is generally the most complex and time-consuming part of the plan. The strategy phase generally takes about one month.
   
   
5. Execute Strategy: This is where the hard work is done. It is labor and time intensive for us and our clients. In the case of software remediation, finding date codes written many years ago with little or no documentation and few, if any, standards, is a painstaking process. The entire phase can take four months or more, depending on the resources the client commits to the effort.
   
   
6. Testing: The importance of testing, and re-testing, the systems after the actual Year 2000 conversion process cannot be overemphasized. My earlier analogy to the Space Shuttle applies: every component of every system needs to be checked and re-checked before the shuttle lifts off. Complex information systems need the same kind of verification before their users can be confident that they are Year 2000 compliant. The testing phase may also run several months - the securities industry is planning to spend most of 1999 on testing programs.
   
   
7. Redeployment: By necessity, the affected systems are tested off-line. Once the testing is accomplished, the Year 2000 compliant hardware and/or software is 're-deployed" into the production systems. This may sound easy, but it's yet another critical phase in the overall project - like re-installing the main engines in the space shuttle. If all has gone well up to now, the redeployment phase may take only a few weeks, and the project will be largely complete.

This is a general methodology but it will obviously be influenced by factors such as: decentralized systems within an organization; system components scattered around the nation or the world; multiple programming languages used within an organization; the regulatory environment of the organization or its industry. As you can deduce from our time estimates for each phase, the entire Year 2000 conversion project in a large organization can take several years.

Critical to the success of our methodology is the commitment of the client organization to solving its Year 2000 problems. Thus we advise clients to focus on four areas while the project is underway:

1. Awareness: Management of the company at all levels needs a general understanding of the problem, and senior management needs acute awareness of the project's importance in order for it to succeed.
   
   
2. Communication: Internal, as well as external, constituencies need to be kept apprised of the organization's Year 2000 efforts, and be kept updated on progress. Constituencies include shareholders, directors, employees, customers, suppliers, regulators. Senate Bill 1518 is directed to this task.
   
   
3. Budgeting and Resources: The organization must commit and maintain adequate financing and employee resources to the conversion project.
   
   
4. Project Management: Management talent and commitment is critical. Senior management must be involved and focused throughout the project.

Frequently, we are asked: why does it take so long? Why is it so expensive? The simple answer is that fixing the Year 2000 problem is time and labor intensive, and we are running out of time. In fact, we are now advising companies that are just starting their Year 2000 work that it is unrealistic to expect to fix everything by Year 2000. We are recommending a "triage" approach that focuses on the most critical needs of the organization first.

In addition, we remind our clients that their organizations do not live in isolation. Their vendors, suppliers, customers - anyone they do business with - affect their Year 2000 compliance efforts. Company A may be 100 percent Year 2000 compliant, but if Company B, a key supplier, misses a critical shipment to Company A, then Company A also has a Year 2000 problem to cope with. In the area of banking and financial services this is a critical vulnerability. We are heartened to see the Federal Reserve Board, the SEC, the Securities Industry Association and other organizations place such an emphasis on cooperation between securities firms, banks, exchanges and clearing houses to work together and test systems together. This is an example other industries should follow.

We recommend that the leaders in any organization ask themselves the following:

• Has our company undertaken (completed?) a comprehensive analysis of our Year 2000 vulnerabilities?
  
  
• Have we allocated full-time resources -- budget and people -- to deal with the problems? Are we underestimating the extent of the problem?
  
  
• Have we budgeted enough? What if banks stop loaning money to us because of lack of progress towards compliance?
  
  
• Can we alleviate the most critical problems in time and cope with the rest later?
  
  
• Do we have contingency plans, backup options, if we fail to reach minimum Year 2000 compliance?
  
  
• Are our suppliers, distributors, and key customers, addressing their vulnerabilities? How do we monitor them? Do weak links exist at any of these points that could affect us? This is an extremely critical, but often unasked, question. Remember: the chain is only as strong as its weakest link.
  
  
• Have we examined our legal liabilities? Are we adequately insured?
  
  
• Have we properly disclosed our situation to our directors? To our shareholders?
  
  
• Are our physical plants vulnerable to outages from systems containing embedded chips? Examples of these are elevators, heating and air conditioning systems. Is our landlord on top of the problem?
  
  
• Have we considered the readiness of the communities in which we do business? Will government services critical to our missions be compromised, impacting our ability to deliver product or services?

Finally, we have some advice for leaders in coping with the Year 2000 problem.
This is like a checklist:

1. Assemble an emergency management task force - operations, legal, finance, sales, directors - to assess and monitor the situation, plan a solution and implement it.
   
   
2. Appoint a Year 2000 project manager - a person who knows the issue thoroughly and will tackle the project with passion; a command-and-control person who will provide you and your task force with needed, but not unnecessary, information.
   
   
3. Go to a 'war footing," allocating the resources that you would in a major crisis. You will not regret this when other companies are being sued for neglecting the problem.
   
   
4. Recognize that there are no 'silver bullet" solutions. The fix will take time, effort and money. Priorities will have to be adjusted.
   
   
5. Don't let your competitors exploit your lack of progress ... those who become compliant first will have enormous advantage over those who don't.
   
   
6. Allocate sufficient time for testing. It's not fixed until it's tested.
   
   
7. Finally, bear in mind that executives and board members may be personally liable for Year 2000 related business interruptions, failures or losses.

Mr. Chairman, in summary, American organizations have already spent billions of dollars on Year 2000 remediation work, but $1 trillion probably will be spent worldwide to prevent major problems from arising. While organizations should have begun fixing the problem by now - and many indeed have - it's not too late for other organizations to begin. Given that a typical Year 2000 project will take a year or more, a "triage" system will be necessary for many of these organizations. As time runs out and demand for resources outstrips the supply, expect costs to rise.

The cost of minimizing the Year 2000 problems will be significant, but the most important goal is this: Staying operational and competitive in the Year 2000.

Mr. Chairman, thank you again for inviting us to participate today and we would be happy to answer any questions.

Home | Menu | Links | Info | Chairman's Page