Mr. Chairman, distinguished Members of the Subcommittee:
My name is Bob Austrian and I am Vice President of NationsBanc Montgomery Securities, an investment bank in San Francisco. I am a senior research analyst covering the Enterprise Software industry. In other words, my expertise is software for businesses and the vendors which supply these systems.
I appreciate the opportunity to testify before this Subcommittee and wish to note that the testimony I give today represents my personal views and does not necessarily represent the views of NationsBanc Montgomery Securities. As requested, my testimony today will be devoted to my assessment of the liability risks associated with the Year 2000 computer problem, the adequacy of disclosure in this area, and what sectors of the business community may be most vulnerable to computer failures and lawsuits resulting from the so-called "millennium bug."
First, I would like to present a brief overview of my testimony today. For the past 12 years, I have been involved in the financial, technical, and investment analysis of public companies, primarily those in the software industry. This work involves highly detailed inspection of companies' financial filings as well as other company-specific details. In addition, my colleagues and I have spent much of our time recently on the Year 2000 problem. For these reasons I believe I am qualified to comment on adequacy of disclosure, the seriousness and uniqueness of the Year 2000 problem and its ramifications for business. I am less qualified to comment on specifics of liability, as I am not an attorney. The net conclusion from the testimony I am about to give is that I believe investors require more Year 2000-specific disclosure than is currently being provided. Our own challenge in assessing the risks faced by public companies in the Year 2000 arena is a signal that more disclosure is needed particularly given that we are "experts" in this area. The risk is both greater and faster changing than most other risks companies face.
I am an investment analyst providing technology, financial, and investment analysis of the companies that provide software solutions for businesses. Some of these companies provide solutions to the Year 2000 problem. I have 12 years experience following public companies in the software sector. My colleagues, of whom one, Tom Pagel, is here with me today, and I have been researching the Year 2000 issue in depth throughout this year and have been watching the issue unfold for some time. In September, we published what we believe is a fairly detailed, investment-focused report on the matter. We have distributed a copy of our report, entitled "Millennium Morass," along with this prepared statement. As part of our background research for the "Millennium Morass" report, we surveyed 67 technology managers, interviewed scores of managers, including a number of senior managers in Fortune 500-class companies, and reviewed a wealth of published material on the subject.
We believe the Year 2000 problem is significant, but will not bring about the end of "life as we know it" (as some doomsayers are predicting). We think world-wide information technology (IT) expenditures to address and fix (whenever possible) the problem will total at least $600 billion. Importantly, this figure does not include litigation expenses, which we believe will be significant. As described in the accompanying report, we believe there is no longer enough time for all organizations to fix the problem, assuming manual (versus tools-based, automation-assisted) techniques are used. Even with the use of software tools to automate part of the task of fixing this problem, we believe many organizations, including the Federal government, may fail to make all of their systems compliant in time.
The Year 2000 problem is a unique example of an IT challenge, unlike any other IT issue ever encountered. A number of factors differentiate the Year 2000 problem from other IT issues. Our "Millennium Morass" report includes detailed descriptions of these factors, which are outlined here. First, the problem affects virtually all companies. Second, it affects them simultaneously. Third, the deadline for completion of the project will not move. Fourth, the deadline is unrelated to the size of the task. And last, the deadline is much earlier than expected for many applications. We believe the net result of these factors, together with an already constrained technology labor supply, is a shortage of two key resources: time and labor. We stress that money is not necessarily in short supply within organizations, and that, given time constraints, spending additional money will not solve the problem alone. In short, there is a bona fide shortage of time and labor, and the situation is worsening almost daily. We believe most large organizations, especially those currently in the earliest stages of addressing the problem, will be extremely challenged to complete the job on time. Many will "triage" and fix only the most critical systems. We believe it is likely that the Federal government will not complete even its so-called "mission-critical" systems on time. Note that "on- time" does not mean by January 1, 2000, but rather some date between today and January 1, 2000, as most software systems "look ahead" by some amount of time as, say, a calendar program on your PC plans a year at a time.
As of today, there are exactly 800 days remaining until January 1, 2000. We believe the vast majority of companies have begun to address the issue in some way, although most (at least 70%) are still in the earliest "assessment" phase, now determining the size and scope of their task. A small but growing group of companies have disclosed their cost estimates. Expected investments of $40 million or more are common within the Global 3000, and several companies have estimated that they will spend $200 million or more in this area. Federal government agencies now estimate that they will spend $3.8 billion, up from an initial estimate of $2.3 billion early this year. External sources estimate that the Government's tab will be as high as $30 billion.
While we are not attorneys, we believe organizations and their officers face potential liability in many areas. For example, companies that do not fully disclose the dimensions of their Year 2000 problems may be liable under federal securities laws. Our research has led us to consider a few additional examples. Companies (in many industries) selling products that are not "Year 2000 compliant" and cause financial or other damage to the buyer may be liable. Examples include vendors of software or any products with "embedded technology," such as computers, elevators, automobiles, etc. Financial institutions that lose track of account balances or fail to execute transactions properly may be liable. "Year 2000 companies" that supply tools or services to fix Year 2000 problems may be liable if "repaired" software is not fixed properly. Finally, companies may be liable for damages experienced by their corporate customers. For example, manufacturing "supply chain" companies could be liable if their systems fail and do not adequately supply products. With respect to this topic, we cite the following communication, reported in March 1997 by an industry trade group, Information Technology Association of America (ITAA):
To summarize, we believe there are many areas of potential liability for organizations, including many beyond those described here. As we are not experts on legal matters, we offer only limited discussion and a few examples we have encountered or considered during our research.
Currently, companies are required to address Year 2000 issues that are material to investors in their SEC filings. While all companies have some Year 2000 exposure we believe it is material for many few have addressed the issue in their filings. Of those that have, the vast majority state either that it is not a material issue, or that they do not know how large the problem is. A small percentage estimate what it will cost to make needed repairs. Below are a few examples (edited for brevity) of what companies have stated in recent SEC filings:
We believe more detailed disclosure is needed than has been provided to date. As a result of the uniqueness and seriousness of the problem, we believe investors should be provided with more practicable and specific information about this area of risk than other, more general areas and types of risk. Conveying to investors that, say, "expenditures required to fix the problem are material" or are "not material" does not adequately represent a corporation's risk to investors. Such minimal or general purpose disclosures fail to adequately reflect the probability or associated risk of not complying on time. The following factors demonstrate why we believe the situation is now serious enough for special treatment.
Companies in general are seriously behind schedule in achieving compliance. Assuming software applications actually process "look-ahead" dates of up to one year in advance, compliant applications should be fully implemented by the end of 1998, and testing should therefore begin by the end of 1997. However, companies are still mostly in assessment. An August 1997 poll of 128 Fortune 500 IT directors and managers by Rubin Systems Inc. for Year 2000 services provider Cap Gemini revealed that only 16% have begun implementing a full-fledged strategy and only 24% have a detailed plan in place.
In addition, expenses will be material. We believe the average Fortune 500 company will spend at least $100 million on its fix. Chase Manhattan, Merrill Lynch, Hughes Electronics and Prudential have all publicly stated that they will each spend at least $100 million on the problem.
However, more important than monetary expenditures are risks associated with shortages of time and labor resources. This perspective is not yet broadly embraced, and disclosures about "risk" in this area similarly under-emphasize these critical factors. We believe that financially, most organizations will not be too negatively affected by the Year 2000 problem, but that many may literally run out of time and labor resources. Specifically, there is a serious shortage of labor that is only getting worse. Estimates of the number of incremental programmers needed to address the problem in the United States range from 150,000 to 200,000 or more. These needs exist against the backdrop of an industry-wide base of less than 2,000,000 programmers, all of whom were recently fully employed on projects other than the Year 2000. In April, Gartner Group reported that 1997 labor costs rose 30% from 1996 (when they averaged $60 per hour) and are still climbing. We believe labor costs for skilled IT personnel will continue to increase at least 30% per year over the next three years.
To most fully understand the Year 2000 problem's effect on an organization, we believe investors should be provided with:
In addition, there should be quarterly reporting of milestones completed relative to plan as well as new risks recently encountered. Some may respond that in order to gather these details, investors can simply ask. We attempted exactly that in March, 1997 when we surveyed 5,000 senior technology managers in U.S. corporations. Only 1.3% (67) of our surveys were returned, demonstrating what we believe is an unwillingness to disclose facts concerning progress or the lack thereof on addressing this issue. Finally, it is not surprising that senior corporate managers have been unwilling to discuss this matter on the record: few are ahead of the game. If more were on track with efforts to remedy any deficiencies, we would be hearing more about it, as success in addressing the issue would quickly become a competitive differentiator.
Software companies may be unique with respect to Year 2000-related risk. They may be subject to: (1) exaggerated demand for software products in one period i.e., as Year 2000 replacements are undertaken followed by periods of lower growth thereafter; and (2) re-allocation of spending away from new IT projects in favor of fixing Year 2000 legacy code. For example, one of the leading software companies in this country, Oracle Corporation, recently filed a 10-K that includes the following:
In addition, earlier this month, PC Week magazine quoted leading software vendor PeopleSoft's CEO Dave Duffield at a Gartner Group symposium:
We expect to see similar disclosures from other software companies that are currently experiencing increased, but temporary, demand as a result of the Year 2000 issue. Some factors that we believe affect the respective levels of risk among software companies include the extent to which their applications replace existing, non-compliant systems and the amount of time required to install such products. We believe these topics should be addressed by software companies, whether they are required to do so or not.
We believe nearly all sectors of the business community are vulnerable to the Year 2000 problem. Some are more vulnerable than others, including those with the most date-intensive applications. These include banking, investments, insurance, and manufacturing industries, the latter more a result of their highly computer-dependent, "just-in-time" inventory practices than of a high incidence of dates per se.
In December, 1996, International Data Corporation surveyed 500 executives of medium and large companies spanning six industries including banking, insurance, investing, manufacturing, utilities and communications. Executives in the banking, insurance and investing industries stated most frequently that the possibility of legal liabilities existed in their industries; 55%, 43% and 37%, respectively, responded "yes" to "Possibility of legal liabilities arising from Y2K problems?". In the survey, the following sources of legal challenge were named by the percentages of executives shown (more than one answer was allowed):
Although some industries seem more likely to experience legal liability than others, we strongly believe that all industries are affected by the problem and subject to litigation risk. Thus, with the possible exception of the software industry described above in section III.D., we do not believe it is useful to distinguish among industries in terms of regulation or disclosure requirements with respect to the Year 2000 issue.
We believe the Year 2000 problem is both real and large. Organizations need, and are only now increasingly securing, involvement from CEOs; we believe this is necessary for organizations to have a sophisticated and credible approach to the problem and to boost the probability that they achieve timely compliance. We stress that the greatest danger for management is to look only at monetary costs to fix the problem, which in many cases do not appear significant as a percentage of the organization's revenues. Focusing on monetary costs can obscure the significant shortages of time and labor resources that can and do exist. These shortages cannot be adequately addressed by higher spending. This critical point can be easily be missed by those with limited experience in information technology or an overemphasis on financial burden and financial risk. We hope that organizational management will understand the issue and devote the necessary attention to solve the problem. Finally, we believe the Federal government faces as much risk as any organization. Just as any company's CEO should be involved in addressing these issues, attention from the President may be required to achieve satisfactory results.
Mr. Chairman and distinguished Members of the Subcommittee, that concludes my testimony and I would be happy to entertain any questions you may have.
Home | Menu | Links | Info | Chairman's Page