Small business beware: the Y2K bug may bite you the hardest.
In the waning hours of the 21st Century, the myths and misconceptions about Year 2000, or the "Millennium Bug," or "Y2K" - however one refers to it - are rampant.
And small businesses across the country, lulled into believing Y2K is "no big deal," are dozing at the controls of an engine that will collide with the 21st Century in just a few short months.
Unfortunately, as time grows short and momentum increases, many small businesses - and consequently some of their larger counterparts - won't be able to apply the brakes in time to avoid the wreck.
The most pervasive myth is this: that by merely buying new software, or a new PC network, a company has nothing to worry about. And even if something did happen, it won't be a big deal.
Wrong, say many experts and consulting groups.
The reason is this: the Y2K problem in most cases cannot be corrected by nearly purchasing remedial software, or "patches" designed to correct the Y2K date-field problem. Much more should be done, including identifying each potential hardware and software system and its components, and analyzing, testing, reprogramming (if necessary) and replacing systems and components, followed by exhaustive and time consuming testing of all of these.
There simply are no shortcuts - which is why experts have estimated that the remediation and testing phase, depending on the size of the company, can take as long as the year to complete. The more companies that ignore these accepted facts, the bigger the potential for disaster when the train wreck occurs.
So why the concern about small businesses?
Besides surveys that have been done by national consulting firms suggesting that small and medium-sized businesses are lagging far behind others in their Y2K compliance efforts, problems faced in the future by small businesses can cause problems for larger companies.
Here's why. The Banking industry, for example, may be well ahead of schedule in achieving technical Y2K compliance. But suppose that a particular bank has not bothered to investigate whether its largest customers are Year 2000 compliant (and even that these customers have taken additional diligent steps to contact their major suppliers or customers). Then, at some point, several of these large customers experience business disruptions that cost them business and possibly result in a costly lawsuit. Should one of those customers go belly-up, the bank's assets are threatened, causing a chain reaction that could threaten the financial institution's overall viability.
Certainly no one wants to see this happen to the Banking industry. That's why the Federal Government - chiefly the Fed, the FDIC and an inter-agency group called the FFIEC - has been riding herd over the nation's banks to make sure they have taken all necessary steps (including developing contingency plans) to ensure that they are operating - and are healthy - through the turn of the century. But what of the other industries? Those that are not regulated?
This is where the problems which might hit small businesses hard could also seriously impact larger, unregulated companies. Remember, the small to medium sized businesses are the suppliers of goods and services to the larger industries.
Obviously, widespread disruptions among these businesses could cause disruptions in larger businesses and industries - particularly if diligent steps have not been taken by the bigger companies to look beyond their own back yards and prepare for this.
The up-and-downstream distributors, suppliers and customers of bigger companies, therefore, are critical cogs in the industrial and commercial wheel that turns our economy. With out all the cogs in place and sturdy, business and industry, collectively, won't run smoothly.
These issues have been largely ignored - even by larger companies. Indeed some companies have spent millions of dollars on their compliance plans and remediation efforts. And some have in fact developed elaborate contingency plans. But far too many have either ignored this potential "ripple effect," or have paid only lip service to it.
And this is the core of many potential legal problems. And no one can predict what will happen. Because Y2K is an issue that reaches into the highest level of business management, directors and officers of companies need to be actively involved in their companies' Y2K compliance plan. Failure to do this could result in individual liability for a company directors, officers and other high-level executives if systems disruptions caused injury or damage to the third persons.
Thus, the urgent issue facing businesses today is twofold: 1) is the business must aggressively address the technical aspects of its Y2K systems problems, and B) it must also take certain predetermined steps aimed at its overall Y2K compliance effort. The latter is extremely important. The reason it is so important is that these predetermined steps, which are quickly becoming the minimum standards for due diligence, will be at the foundation of litigation in the future.
For example, a business that fails to take the appropriate steps toward overall compliance may risk not only certain Y2K related disruptions and failures, but also will be viewed and judged in the future as to whether it performs basic, minimum due diligence in addressing its problem. The failure to exercise this due diligence may be viewed in the future as a failure to exercise "Due care" which is an age old and well established legal standard for determining whether a person or entity has negligently. Lawsuits based in negligence, in the future, may be very costly-so much so that, depending on the type of damage or injury claimed, a negligence award could put a small or medium sized company out of business.
Recent estimates by consulting groups that have been tracking business and industries' compliance efforts suggests that between 30 and 40 percent of companies and businesses are behind schedule in their Y2K compliance efforts. These companies' potential liability may revolve around degrees of noncompliance. For example, if a particular company has diligently been addressing its Y2K issues, but for one reason or another has fallen behind schedule in the technical component of its compliance plan, its liability may be significantly less than a company that has ignored the Y2K issue.
Ignoring the Y2K issue is simply not an option. It doesn't really matter how large or small the company is, because the Y2K glitch, depending on how and when it occurs, can seriously disrupt-and even shut down-a business if a system failure impacts a mission critical operation of that business. Some consulting groups, industry leaders and government officials, had been focusing on statistics which indicate that a high percentage of companies across the nation are on schedule in dealing with the Y2K problem. For example, the firm of Capers Jones recently examined eight critical American industries with regard to their Year 2000 compliance efforts. Although, on average, more than 55 percent of those industries surveyed were on schedule, a significant-and disturbing-38 percent were behind schedule. According to the survey, nearly 6 percent work ahead of schedule. The proper focus here should be on the percentage of companies and businesses there behind schedule.
Consider for a moment, a business' or industry's reliance, to whatever degree, on any of those 38 percent of businesses that are behind schedule. Some of these business may be entities upon which these businesses rely .
This is what is referred to as the "downstream supplier problem." This is something that is largely overlooked by many businesses. The reason for this isn't clear. But there is developing among businesses potentially affected by Y2K a kind of "NIMBY" (Not In My Back Yard) attitude toward Y2K. This attitude is very dangerous because it overlooks very important potential pitfalls for companies. That is, failure to consider the compliance efforts of one's neighbors, suppliers, and others with whom one does business can produce some surprises in the future for which a particular business may find itself liable.
Why? Because an emerging standard of due diligence suggests that one has a responsibility, not only for itself but for its customers and clients, to ensure that necessary goods and services upon which it relies will be provided, and that its own business functions won't be disrupted.
This brings us back to the small business problem. The chairman of President's Council on Year 2000 conversion said recently that "The Y2K problem could spell doom for any small and medium sized business that isn't prepared. " The United States Chamber of Commerce determined than 82 percent of small businesses were at risk. And, of the nearly 25 percent of all businesses worldwide that have not yet addressed the Y2K problem, 83 percent of those are small businesses.
Consider now the extent to which larger businesses and industries rely on small business for various goods and services. If 83 percent of the small businesses are risk, it is virtually certain that larger businesses and industries will be affected to some degree by the Y2K bug, no matter how diligent they have been in addressing their own systems problems. And again, the failure to adequately assure that one's suppliers of goods and services are going to deliver creates legal liability for these larger industries in the event that someone is damaged, directly or indirectly, by disruptions in that particular industries operation.
So what can a small business to to minimize its risk? First, the business must develop a written Year 2000 compliance plan. This plan should give more than lip service to the year 2000 problem. As part of this plan, the business should include directors, officers and others at the highest level of management to whom the Y2K task force will report.
Secondly, the business, if it has not done so already, must do a thorough inventory of all of its hardware, software and firmware to identify at the outset what systems and components it has. From this inventory, the business must identify those systems and components which are critical to the diseases operation. Third, the business needs to take a thorough in inventory of all of the information technology vendors who supply these products. This is critical because, in most cases, these vendors will be the ones who will perform the necessary remediation and testing work to bring the business into technical compliance. Fourth, once these systems and vendors have been identified and prioritized, the businesses' key contracts, license agreements, and other agreements should be reviewed by legal counsel to ensure that necessary remediation, replacement and testing of products and services will be delivered-and importantly-at what cost. It's important to know that the cost of fixing the Y2K problem can be significant, relatively speaking, for any business and industry. But failure to take appropriate steps because of the cost will not be viewed as an excuse in future if the business is sued by someone who has been damaged by a Y2K related disruption or failure.
Many people in the business world are skeptical about predictions of a "Tidal wave" of litigation following the Year 2000. There may be some justification for this skepticism. Something that seems as deceptively simple to lay person as a "Glitch" must also be simple to fix. After all, people have come to accept the notion that modern electronic technology is capable of doing almost anything. Ironically, however, it is this very technology which created the Y2K problem, and yet this very same technology seems incapable of fixing it on a large scale before the Year 2000.
Why? Because, although the problem is technical in nature, it is human intervention that has put us where we are today. That is, the information technology industry, which deliberately programmed the glitch into these computers, failed for one reason or another to warn the consuming public in time of these impending problems. For example, many Y2K as experts agree that the Y2K bug did not become widely known or commonly known until 1996. However, the information technology industry knew about this problem back in the 1960s. Indeed, with the development of the computer chip, the Y2K problem could have been fixed decades ago. Had that been done, the world would not be facing what some believe is the largest human error in modern technology.
As we know, none of this was done. In fact, rather than to issue warnings and distribute solutions to this potentially disastrous problem, the information technology industry, as a whole, swept Y2K under the carpet. One can only speculate why this occurred, but clearly among the concerns of the information technology industry was in its potential liability. And naturally, faced with that, its lawyers advised the industry not to admit fault.
Whether, or to what extent, anyone is at fault will be determined later in the courts and by legislators. That die is already cast.
The important issue now, especially for small businesses, is to recognize the need to take some action now. Indeed it may be too late to begin and complete a full-fledged compliance effort. But, like any known problem, taking some preventative action is far better than taking none at all.
All rights reserved. This article may not be reproduced or republished, in whole or in part, without express permission from the author.