EURIM is the Parliament/Industry group

concerned with the Information Society

The recommendations in EURIM Briefing 20, The IT Implications of the Convergence of Year 2000 and EMU, remain valid but time has moved on. Risk and expense increase daily with the continued lack of information on actual Year 2000 date problems and their solutions. Action to remove legal obstacles to the sharing of "best information" is long overdue, and essential if SMEs are to get the help they need in time. Similarly, the lack of information on national rules and timetables for EMU is leading to "rationalisation" among those able to offer software and services. The lack of a decision in the UK whether or not sterling will enter the EMU at some stage is adding directly to business costs.

The growth of prioritisation between systems which are essential to corporate survival, those which give competitive advantage and those which can be sacrificed, has led to a sharp fall in IT spend other than where failure to handle Y2K or EMU would have serious effects. Demand for skills to handle the Y2K problems found with current desktop and client-server systems has yet to peak. Most IT suppliers are competing harder for staff to fulfil existing commitments than for new business. Those who have not yet secured the resources they need for Y2K and EMU are in growing trouble.

There is now widespread publicity for the need to ensure continuity of critical infrastructure systems, including telecoms, electricity, transport, and healthcare. The initial Y2K testing for some of these is already completed, but others involve loops of interdependence and issues of priority setting which only Governments can resolve. Some involve "generic" contingency planning to handle the consequences of prolonged holiday periods, massive crowds and traffic chaos - with the capacity to overload systems that have no Y2K date problems.

.

The Euro will become increasingly important in the UK whether or not sterling is taken into the EMU. Multinationals operating in this country are already converting. For many companies, however, the business case for putting resource into the conversion process cannot be made unless and until the Government confirms a decision of "when", not "if". The longer that decision is delayed the greater the cost to business and the more frantic will be efforts to convert if a Yes vote is given with, as has been suggested, a shortened transition period.

Despite the three year option, it is estimated that a quarter of "Euroland" companies expect to convert their core accounting during 1999, with a peak cut-over timed for Easter, which coincides with the fiscal year end. Changing the base currency of an existing system is a prodigious IT exercise and the scale and nature of the resource requirements are still not properly recognised.

Since a lack of co-ordination on conversion dates between buyer and seller would lead to chaos, powerful players in supply chains are insisting their suppliers convert on the same timetable. Many UK firms will soon have to trade in Euros, whether or not sterling goes into EMU and may face the possibility of operating in dual currencies indefinitely. The knock-on effect of this on small firms will be considerable. In addition, UK exporters will have to operate in Euros or be forced out of European markets.

The DTI should be asked to monitor the situation in Europe, especially during the Easter cut-over peak, and learn from their experiences in readiness for any UK action. Unlike Y2K, there is as yet little sharing of information in the private sector, so the results should be published and information disseminated to small firms (eg through Business Links) at public expense. Special attention should be given to external dependencies - where cultural differences have a significant impact - and the contingency plans used to deal with them.

There are still a number of matters that need to be clarified by the Commission before systems can be made fully operational. These include the position between participating and non-participating countries; triangulation, whether the GB£ is to be treated differently from the US$ or the Yen, and national local legal requirements.

A rationalisation process, based on what is currently known and understood, is under way, both within the finance industry and among service providers. The race is on to provide standardised packaged solutions and the winners (and only survivors) will be those software houses with the skills and resources to provide the necessary facilities to short-order

A large scale programme of training will be needed to ensure that UK businesses can make a smooth transition to EMU compliant systems for pan-European electronic commerce after Y2K is over - whether or not the UK plans to join before 2002. The Y2K "bugbusters", if retrained, could be a valuable resource.

On Year 2000 compliance, the UK is ahead of much of the rest of Europe, which gave priority of resource in 1998 to preparations for EMU. Large private-sector users in the UK are beginning to complete the audit and conversion of their central systems to handle Y2K. However, the scale of the problems with desktop and departmental client server systems using common operating systems and "shrink-wrapped" packages is only just becoming apparent - to both suppliers and users. Most small firms still appear unaware that they can face problems even with the supposedly "compliant" systems currently being shipped (e.g. inter-actions between packages and operating systems which address "compliance" in different ways). A common response among large users has been to standardise on bulk-purchased hardware/software platforms. Most smaller users have yet to appreciate the scale and nature of the desktop problem.

The image of Y2K as a legacy mainframe problem is dangerously misleading. Research for the 1998 IMIS (Institute for the Management of Information Systems) IT Skills Trends Report indicates that under 5,000 establishments in the UK have legacy mainframes (this includes those with software written with Y2K in mind or already upgraded by those who planned ahead). By contrast, somewhere over 200,000 establishments have client-server systems and over 2 million have networked or stand-alone desktop systems which need to be checked and may need conversion.

The bulk of the Y2K problem (both volume of systems and volume of organisations) is with equipment supplied within the past five years to establishments with no IS/IT staff and, in many cases, no maintenance or support contracts. Most have no ready way of knowing whether their systems are "compliant" or not, nor whether they must be replaced or can be "made ready" at low cost. Hence the importance of initiatives like the UK Government’s "Millennium Skills Centres" to train quickly large numbers of individuals with the basic skills necessary to check common PC-based systems for "compliance" and to convert, upgrade or replace as necessary.

There is a growing trend for large suppliers to exclude Y2K liability from new contracts and to "clarify" existing contracts. Small value-added suppliers and installers who buy standard components or systems from large suppliers, and are unable to pass the exclusion along the next stage of the value chain, appear to be among those at particular risk from this practice. The Office of Fair Trading and DGIV need to be ready to act rapidly if attributable evidence of the problem becomes available.

Similar action is needed with regard to the trend for suppliers to inform users that their annual licences for software will not be renewed after March 31st 1999 because the system currently in use is "not compliant" but that they may take out a new licence for the Y2K upgrade at a considerably enhanced cost. This is a particular problem for public sector users with budgets set well in advance.

The findings to date of the Loss Prevention Council on embedded systems (including both areas where no problems have yet been found and the scale and nature of those found) need to be given much wider publicity. So too do those suppliers who will accept full responsibility for their systems, provided they are contacted for any preventive maintenance and/or resetting that may be necessary.

Calls for the sharing of information on the readiness of commonly used products and services have commonly met with little response other than references to supplier information which may be misleading. Thus one EURIM member found that a line of "non-compliant" £500,000 control systems could be safely and simply reset by winding the clocks back 20 years. Other items were "compliant" but had other date problems or handled Y2K in different and incompatible ways.

CCTA should be tasked to provide Action 2000 and Bugnet (the Y2K information service run by the National Computing Centre for the Business Links) with the results of public sector Y2K tests and audits on commonly used hardware and software as part of an exercise to encourage major users, both public and private sector, to contribute.

The pooling of information between Business Links, including that on sources of advice and guidance, needs to improve. Action 2000 and/or DTI should monitor the availability and quality of advice provided. Small firms, in particular, need to know how to get low cost "fixes" which meet their requirements, without wasting time and money to ill-informed call centres or on fruitless Internet searches.

The Treasury Solicitor should be asked to recommend the legal actions necessary to enable "best current information" to be made available over publicly funded information services on terms which encourage both users and suppliers to contribute freely the results of their tests and audits.

Readiness around Europe is still very patchy and much more transfer of knowledge and experience is required. HMG can contribute to this exercise if the European Commission takes a pro-active stance, actively seeking best information on both EMU and Y2K to place on its websites. It should then use its massive internal resources to translate the information most likely to be required by small firms into all official languages

Much of European business has dependencies elsewhere in the world, some in areas which lack the money or the expertise to tackle Y2K, and where reassuring messages mean they have missed the point. Ironically, the problem is in some ways less serious in those territories where infrastructure failures are commonplace, since contingency plans are already in place. The "domino" effect of multiple crashes, is however, a major concern and corporate contingency plans must try to take this into account.

The work undertaken by HMG on supply chains and critical infrastructures is most welcome but needs a framework for prioritising the areas where action is most urgent. These should include:

• the risk of flooding (in the event of power failure to key pumping stations) in risk areas, such as London’s deep Tube lines, basements and power and cable ducts.
• priorities (or otherwise) for the supply of telecoms and power to major processing centres (eg finance and insurance), to Industries (eg petro-chemical) where short-order shut-downs can be damaging and expensive even if "safe", and to pumping stations for oil, gas, sewerage and water.
• considering whether the run down of the Territorial Army can be postponed until after Y2K so that they can be on duty, alongside regular soldiers and police. Even if all computer systems function perfectly, there will be a (once in a millennium) crowd control and public order problem, with associated criminal opportunities while the police are pre-occupied.

The recommendations of the Action 2000 Utilities Forum were welcomed by EURIM members provided that "independent assessment" is to be based on peer review by those with equivalent responsibility in competitors, suppliers or customers and not by consultants employed by regulators. It was felt that anyone not already employed in the area was unlikely to be competent while peer review was felt to be one of the most effective means of information sharing

The situation with regard to the Internet (as opposed to the mainstream communications networks over which it runs) is unclear. Some widely used routers and e-mail products and services are known to have problems. Some ISPs are known to have systematic programmes to replace those in their networks, but others are reluctant to provide information even to their largest customers. How many of the smaller ISPs are aware of the problems and are taking action is less certain. Most intra-UK, let alone nearly all inter-EU, Internet traffic runs through three of the five main US peering centres. The Y2K preparations of these are therefore critical, as are those of the one large UK peering centre.

The major IT and Internet suppliers should be regarded as part of the critical infrastructure loop. Their Y2K plans are of equal importance to those of the communications, power and water suppliers, many of which are already critically dependent on the performance of their products and services. It may not matter too much if the public Internet goes down, but failure in some of the private networks which use the same infrastructure and technology could be far more damaging.

Many of the areas identified for contingency planning are generic rather than Y2K specific. The difference about the Millennium is the risk of multiple failure, perhaps more likely from terrorist action or criminal sabotage than from software problems, during the Millennium celebrations. There is a split between those who feel that the appropriate response is to encourage early and planned stockpiling to handle a period of disruption (from raw materials and spare parts to bottled water, candles and tinned food in every home) or to condemn such doom-mongering and risk last minute panic reaction. A recent US study found that two-thirds of the Chief Executives contacted were making basic stockpiling plans for their families but not for their businesses.

This is an area where early and cold-blooded contingency planning may well help reduce the risk of panic as well as any genuine risk. The economic effects of advance stockpiling and subsequent rundown at a time of fears of global economic recession should also be taken into account. It may be that some large petro-chemical and manufacturing operations would welcome a pre-planned shut-down to help clear stocks. Such a break could, however, be disastrous to others.

There is also a need to clarify and publicise the situation with regard to "consequential loss". The Association of British Insurers has clear guidelines in this area but, unlike in the United States, such guidelines are not mandatory. The Gartner Group Y2K service, commissioned by LIRMA (now the International Underwriting Association of London) should be more widely publicised as a tool that can be used by others than Insurers to help focus attention and resource on areas of both vulnerability and risk. Parts of the world where the infrastructures are unreliable at the best of times appear, in practice, to be at lower risk than those which have come to rely on their urban infrastructures.