Appendix P:
Year 2000 awareness

Background

Computer equipment, software and systems and other products and services which involve or rely on computer microprocessor technology (often referred to as ‘chip technology’) may have problems handling dates in the year 2000 and beyond. It is difficult to predict the problem and impact precisely, but the problem exists for both IT and non-IT items containing date-sensitive components.

The DSS Year 2000 Programme was asked to help BFI in the inspection of Thanet to review year 2000 activity. The result of this review is presented below.

State of preparedness

There are certain key activities and structures, management and operational, which organisations must have in place in order to be prepared for problems posed by the year 2000 date change. At this stage, in order to feel confident about its state of preparedness, an LA should have certain key elements in place. These are described below under a number of generic headings.

Awareness

It must be understood that the potential impact of the year 2000 date change is a business problem and not just an IT problem. An effective communication infrastructure to increase this understanding should be established.

Members and senior management should be aware of the risks and required action associated with year 2000 issues.

LAs should agree and fully document descriptions of individual responsibilities and required actions.

Year 2000 management

Members and senior management should provide the sponsorship and resources needed for year 2000 work.

LAs should:

  • appoint a year 2000 project manager and agree and document a definition of what is meant by year 2000 compliance
  • assess, prioritise, effectively structure, co-ordinate and control Year 2000 work using clear documented strategies and a comprehensive project plan
  • produce regular status reports and hold meetings with key stakeholders and senior management to discuss progress, issues, remedial action and other related topics
  • measure progress and success by internal, external or independent reviews
  • develop documented action plans so they can handle the management and implementation of any findings effectively
  • continually communicate progress, internally and externally as appropriate.

Risks

LAs should:

  • have a strategy and process for managing the risk posed by the year 2000 date change. This should include a cross-reference to business continuity plans, which should be documented and monitored
  • regularly report and communicate progress
  • regularly review, manage and document identified year 2000 risks.

Priorities

LAs should:

  • assess and prioritise year 2000 work and deal with the more critical aspects first
  • regularly review, manage and document priorities.

Systems

LAs should:

  • produce an up-to-date inventory of all IT and non-IT (embedded) systems, hardware and software
  • assess all inventory items to component level for year 2000 compliance
  • prioritise the inventory in terms of business criticality and effort apportioned as appropriate
  • produce compliance recommendations for critical items
  • devise an implementation strategy and plan with and regularly report progress to key stakeholders.

Testing

LAs should:

  • devise, document, implement, monitor and communicate a testing strategy and plans for both IT and non-IT items
  • carry out end-to-end testing in a secure year 2000 test environment
  • carry out interface testing to external systems
  • carry out business assurance testing to give confidence to end users.

Suppliers

LAs should:

devise a strategy for managing year 2000 compliance of suppliers

  • identify and contact all suppliers for information about their year 2000 project, progress, contingency
  • analyse responses from suppliers and take any action needed to obtain assurance about year 2000 compliance as necessary
  • assess and review risks emanating from suppliers and link them to relevant contingency plans.

Business continuity planning

LAs should:

  • include contingencies and special arrangements for the year 2000 in business continuity plans
  • rehears and test special arrangements and contingencies for the year 2000.

Legal aspects

LAs should:

  • assess the impact of the year 2000 date change in respect of statutory obligations, health and safety and liability
  • keep auditable records of all year 2000 work for external scrutiny, so they can prove due diligence if necessary.

Findings

We assessed Thanet’s state of preparedness against the above criteria. Our findings, together with recommended actions, are summarised in the following table.

Fig. P.1: Thanet’s state of preparedness

Area of activity

Finding

Recommended action
Awareness Interviewees were aware of the business risks posed by year 2000 issues.

Responses suggested, however, that activity was focused on potential IT problems rather than on threats to business continuity.

 Thanet should:
  • continue to maintain the current state of awareness
  • strive to increase this level of awareness, in particular with regard to non-IT business continuity issues.
Year 2000 management There is no documented IS/IT strategy for Year 2000 work.

36 ‘building block managers’ have been appointed.

There are no strategic documented plans to ensure complete coverage and identify interdependencies.

Key milestones may be locally identified, but there is no overall plan to bring these together.

The IS/IT strategy group has a corporate responsibility, but no single individual has responsibility for delivery of the various strands of year 2000 work.

There is no process in place to monitor progress. Individual building block managers are expected to report to the IS/IT strategy group on an exception basis. There are risks inherent in this process.

 Thanet should :
  • produce plans of year 2000 work with key milestones, achievements and exceptions (where targets have not been met) so that it can assess the whole picture and start remedial action
  • develop formal monitoring and reporting procedures for all those responsible for year 2000 work to report to the IS/IT strategy group and onward to the management team on a regular basis.
Risks Thanet has no process for identifying and managing risks posed by the year 2000 date change. Thanet should urgently develop a year 2000 risk assessment so it can identify and effectively manage risks.
Priorities It was generally agreed within Thanet that year 2000 work priorities centred on HB or CTB and payroll, but there is no documented prioritisation of work. Thanet should document a list of year 2000 work priorities so that progress can be measured.
Systems – IT Thanet intends to replace its existing IT infrastructure by March 1999.

If the new system is not implemented in time Thanet will continue to use the existing system.

A year 2000 compliant version of the existing software has recently been supplied and will be tested and implemented in the near future.

The IT client manager attends meetings with other managers of year 2000 work within KCC but does not have Internet access, which affects his ability to deal with year 2000 issues for Thanet.

 Thanet should :
  • identify any risks in the timing of the implementation of its new system and ensure that they are managed
  • consider giving the IT client manager access to the Internet for information on suppliers, software releases and general year 2000 information.
Systems – non-IT Thanet has no inventory of embedded (non-IT) systems.

There is no documentation about any programme of work to make these items year 2000 compliant.

 Thanet should produce an inventory of embedded systems, a documented risk assessment and a planned, co-ordinated programme of work to ensure year 2000 compliance.
Testing The contracted supplier has tested desktop PCs. Non-compliant PCs will either be replaced or have software upgrades, depending on the level of non-compliance.

A year 2000 version of existing software will be tested and implemented shortly.

There are no plans to carry out full end-to-end testing of the current system due to the lack of a suitable environment and planned implementation of a new system.

 Thanet should:
  • have test plans in place by now
  • prepare for the necessary test programme as a matter of urgency.
Suppliers Thanet:
  • uses the British Standards Institute (BSI) standard definition of year 2000 compliance
  • has contacted all suppliers to seek confirmation of their year 2000 compliance
  • has not yet reviewed all existing suppliers’ contracts
  • plans to include year 2000 statements in all new contracts.
 Thanet should review all existing supplier contracts.
Business continuity planning There are no formal business continuity plans or disaster recovery plans for the computer site or the HB and CTB business delivery units.

Thanet hopes to develop disaster recovery plans for the communications room, which would include the computer suite.

 Thanet should develop comprehensive business continuity plans which describe contingency actions resulting from possible disruption caused by the year 2000 date change.
Legal aspects Thanet has not assessed any impact on or risk to its statutory obligations posed by the year 2000 date change. Thanet should include in its assessment of risk possible threats to its ability to continue to meet its statutory obligations as a result of the year 2000 date change.

Source: BFI inspection

Conclusions

We found that Thanet is aware of the threats posed by the year 2000 date change and is undertaking year 2000 work. However, efforts are not formally prioritised, co-ordinated or structured and Thanet would benefit from formal processes to report progress and document issues to the management team and IS/IT strategy group on a regular basis.

Ensuring the year 2000 compliance of the HB and CTB systems is a high priority for Thanet and it is taking action to replace the IT infrastructure, culminating in a new client/server benefits system due to go live in October 1999. The IT replacement project needs close management to ensure that no slippage occurs due to its complexity. There is some degree of risk if the project deadline is not met, as Thanet may not have enough time to test the new system and go back to the old system if necessary.

 

BackwardContentsForward