Public Sector

CENTRAL GOVERNMENT DEPARTMENTS AND AGENCIES

43. As the Chancellor of the Duchy of Lancaster has acknowledged, the threat posed by the century date change to "central Government and agencies is very serious but varies according to the nature of each organisation".[67] Many essential Government functions, such as benefit payments and taxation, depend on mainframe computers; Government establishments may contain embedded processors and Government "as a whole is increasingly dependent on personal computers".[68] The problem was recognised by the previous administration and plans were put in place to identify and correct Government systems that may be susceptible to date change problems. In 1996 the CITU drew up a programme which set specific targets for all departments and agencies:

• that inventories and audits should be complete by January 1997;

• that all departments and agencies should have prioritised, costed and timed programmes in place by October 1997; and

• that testing of all modified systems should be completed by January 1999.

Since September 1996, Government purchasing policy has required that all new equipment should be millennium compliant. The CITU and the CCTA have also been active in advising departments and disseminating best practice.[69]

44. Such momentum was reinforced by the current Chancellor of the Duchy of Lancaster who, when he came into office, asked to receive "detailed and costed plans, showing how ... departments and agencies were tackling the problem" and who has undertaken to review such plans each quarter.[70] The Chancellor of the Duchy of Lancaster also told us that the CITU would be responsible for verifying the efficacy of departmental and agency plans and, to some degree, checking that their remedial action was effective.[71] He also assured us that experts from the CITU would be made available to any department or agency that was seen to be falling behind schedule.[72]

45. Whilst, in principle, we find this programme to be satisfactory, we have two major concerns. The first is in relation to the costs incurred by departments and agencies in their Year 2000 programmes, all of which the Government expects to be met from within existing allocations. The departmental and agency plans submitted in November 1997 projected an overall cost of some £370 million (naturally with great variations between different parts of Government). Witnesses made two points in connection with this figure: first that it seemed unrealistically low[73] and, second, that experience in the private sector tended to show that the costs of Year 2000 programmes increased during implementation and as organisations came to understand more fully the amount of work that was necessary.[74] Indeed, up-dated plans show that projections of total cost rose by £23 million to £393 million between October 1997 and February 1998. In response to the first of these points the Chancellor of the Duchy of Lancaster told us that the figure "is not really very much out of kilter" with other organisations of a similar size with similar IT dependencies.[75] Nevertheless the Chancellor of the Duchy of Lancaster acknowledged that costs tended to rise and told us that departments would not be held to the figures they had reported-"it does not matter what the cost is, this has got to be fixed".[76] However, he also told us that if costs were to rise further, departments and agencies would still be expected to meet those costs from within existing allocations.[77] We accept that money alone is unlikely to solve Year 2000 problems but we are concerned that such a strict approach may limit departments' and agencies' ability to achieve maximum possible readiness for the century date change. It may also involve them in even higher remedial costs later. We are also concerned that there should be explicit recognition of the opportunity costs, to enable informed prioritisation. For instance, the NHS Confederation told us that while diverting funding to Year 2000 work would not have a direct effect on clinical practice, there would be consequences for other projects dependent on capital investment, such as the move towards single sex wards.[78] We recommend that the Government ensure that financial constraints do not prevent the public sector achieving millennium readiness especially where safety-critical systems are involved.

46. Our second concern relates to the amount of time left for projects to be completed. Experience shows that IT projects frequently fall behind the timetable set for them. There is already evidence that this is happening to Year 2000 projects in departments and agencies. Under the targets set by the CITU, all departments and agencies should have completed audits of equipment by January 1997. However, a survey undertaken at that time showed that only 34% of the 79 surveyed had met the target and that a further 24% had yet to start auditing systems.[79] In May 1997 the NAO reported that "most departments are still auditing systems and planning corrective action"[80]-a full four months after audits were meant to have been completed. Indeed, in November 1997 departmental plans showed that a few departments were still in the audit phase.

47. From the same departmental plans it can be seen that only 36% of departments and agencies expect to complete their Year 2000 projects by December 1998-the date both set by the CITU as a target and suggested as ideal best practice. A further 46% expect to complete by March 1999 and 14% by mid-summer 1999. (A few departments have yet to stipulate project completion dates although, as the Chancellor pointed out, the work needed in these is largely in relation to PCs and not large or sensitive systems.)[81] Some departments and agencies have already set priorities, identifying systems on which to concentrate efforts, and thus they are "correcting business critical systems and may leave systems of minor importance until later".[82] This is clearly the right approach but, as the deadline for readiness is immutable, and as up-dated plans released in early March 1998 show that some departments and agencies have fallen further behind the timetable, we consider that more radical prioritisation is required. We recommend that if, at the next quarterly review, any department or agency is shown to have fallen further behind the timetable, the Chancellor of the Duchy of Lancaster and the CITU should instigate a thorough analysis of that department's Year 2000 programme and assist it to identify and prioritise its key systems.

OTHER PUBLIC BODIES

48. It is more difficult to assess progress in other public bodies, such as local government or the NHS, partly because far less information on compliance programmes has been made publicly available and partly because of the disparate nature of the large number of organisations concerned. Although the Chancellor of the Duchy of Lancaster has no responsibility beyond central Government, he has asked each Secretary of State to ensure that their department performs an exercise similar to the one he has undertaken in central Government in respect of the organisations they sponsor.[83] We recommend that they should do so. We further recommend that the results of these reviews should be made available, as a supplement to the Chancellor of the Duchy of Lancaster's quarterly reports, so that they can both be scrutinised by experts and serve to reassure the public that adequate precautions are being taken.

49. We looked into the steps being taken by the NHS to avoid disruption at the millennium: partly because of the paramount importance of the services it provides and partly because the problem faced by the NHS is more complex than for many other organisations. Not only does the NHS have to prepare its own IT systems and validate all its instruments and devices which may contain embedded processors for millennium readiness but it also has to prepare for the possibility, however remote, that there could be a significant increase in demand for its services if people are harmed by Year 2000 related failures in other organisations' systems.[84]

50. The NHS Confederation highlighted a number of factors which it felt hindered compliance projects across the NHS. For example, it told us that-initially at least-there had been a lack of central support in key areas, such as working with suppliers to obtain statements on whether or not their products were compliant, resulting in much duplication of effort at a local level. The NHS Confederation also pointed to the constraint of funding readiness programmes from within existing allocations.[85] There is some evidence to suggest that central support has been more forthcoming recently. For instance, the Medical Devices Agency has now requested all suppliers to identify which of their products may be susceptible to century date change problems and NHS Regional Offices are now considering ways in which effective testing might be conducted on a regional basis.

51. We do not wish to understate the enormous challenge that achieving millennium readiness presents to the NHS but it is also important that the risk to the public should not be exaggerated. Some reports have, for example, suggested that all 50,000 automated drip feeds in the NHS will need to be recalibrated.[86] The NHS Confederation told us that "the risk is not as exaggerated as has been reported in such quarters ...[in one trust] we have identified and inventoried some 7,000 pieces of medical equipment, of which we believe about 200 alone, 200 only, have a true date time function".[87] This does not absolve trusts of the need to test all their equipment. However, we remain concerned that progress in the NHS compared with other parts of the public sector appears slow: for instance, trusts were not required to provide full costings for readiness programmes until 31st March 1998 whereas central Government departments and agencies provided costings six months earlier. It is essential to guarantee that the NHS is fully prepared to manage the century date change.

Contingency Planning in the Public Sector

52. However thorough the preparations made for the century date change, such is the scale and nature of the problem that it is impossible to guarantee that every computer and embedded system will work properly before, during and after the century date change and therefore there is a need to make contingency plans.

53. There are two aspects to contingency planning in the public sector. First, each organisation must make alternative arrangements for essential systems which might fail even though every effort has been made to make them millennium ready. The Chancellor of the Duchy of Lancaster has drawn the attention of each department to the need to make such plans and has "asked Ministerial colleagues to ensure that the contingency plans in place to cope with major systems failures are adequate to deal with any unforeseen Year 2000 processing problems".[88] Nevertheless, we are concerned that the development of such plans should be monitored. We recommend that progress reports on contingency planning for central departments and agencies should form an explicit part of the Chancellor of the Duchy of Lancaster's quarterly reviews and further that such reporting should be mirrored by all Ministers in respect of the public bodies which their departments sponsor.

54. The second area where Government has a responsibility for contingency planning is in respect of the breakdown of essential public services, whether provided in the public or private sector, such as emergency services, power and transport, however remote such possibilities may be. Responsibility in this area falls to MISC 4-a Cabinet Committee, chaired by the President of the Board of Trade, which met for the first time in January 1998.[89] MISC 4 members have a difficult job to perform as the millennium approaches in drawing up contingency plans for the worst possible, and most unlikely, scenarios. They will also have to balance the need to reassure the public that such plans are in place with the risk of causing widespread fear and panic.

Private Sector

LARGE COMPANIES

55. We received evidence from a number of large, national and international corporations and some of their representative organisations, covering different sectors. They willingly told us about their Year 2000 programmes, their estimates of the level of compliance they expected to achieve and the implications of Year 2000 issues for their businesses.[90] The vast majority of these organisations were confident that their own Year 2000 projects would be completed in time and that any anomalous failures in their systems would not cause significant business disruption.[91] Many other witnesses agreed that the majority of large corporations in the UK were tackling the problem: for instance, Morgan Stanley told us that they "believe that most large corporations have achieved Year 2000 awareness ... and are progressing in their efforts" and IBM that, based on their experiences, they believed that most of their larger customers were taking action.[92]

56. Nevertheless, most of the major corporations among our witnesses expressed sentiments similar to Railtrack who told us that "no organisation can be certain that it will be totally free of problems on the day. Our approach of informed due diligence is intended to maximise our chance of achieving this. That said, we remain vulnerable should organisations on whom we depend fail".[93]

SMALL AND MEDIUM-SIZED ENTERPRISES

57. There is some evidence to suggest that large companies have a genuine cause for concern as a result of Year 2000 related problems in other companies on whom they rely as suppliers, customers or trading partners, especially where those companies are small or medium-sized enterprises (SMEs). A survey conducted on behalf of the DTI in December 1997 reported that while 97% of SMEs claimed to have an understanding of the business implications of Year 2000 problems, 14.3% had done nothing to address them and 45% were still in the process of auditing systems. Moreover, 57% were planning to wait until 1999 before allocating a budget for compliance. Most of our witnesses supported the thrust of these findings.[94]

58. Some witnesses told us that many SMEs that did not now start making concerted efforts to address century date change problems were running the risk of not completing remedial action on time-indeed some argued that it was already too late to start and complete thorough projects in accordance with best practice.[95] Not only is there the immutable deadline which is now less than 21 months away-and we have already pointed out that IT projects are infamous for taking longer than expected-and the possibility of malfunctions before that date, but there is also an acknowledged skills shortage in at least three of the areas needed to undertake most compliance projects-project management, software engineering and embedded chip engineering (see paras 82-84). This may affect SMEs more than large corporations as the former are less likely to have in-house staff with the necessary skills. So, while delaying Year 2000 projects until 1999 may be a reasonable position for any one SME to take in isolation, such shortages are likely to result in the combined demands of a large number of SMEs exceeding the available supply of skilled labour. This, coupled with the demands of customers and suppliers for reassurances on millennium readiness, means that SMEs in general should take remedial action earlier rather than later.

59. We are less concerned about the very smallest businesses, some of whom may not be critically dependent on IT systems. Indeed a recent quarterly survey from the Forum for Private Business, a representative body for small businesses, shows that some 10% of its members have no computer hardware or software.[96] In some of these cases, it may be quite legitimate to argue that the century date change poses a lesser risk to the business than other concerns such as the demands of self assessment for taxation or protracted transport delays. Nevertheless, there is still a likelihood that these organisations are dependent on embedded systems of some sort such as a fax machine or a building management system and therefore they do need to take some precautionary action.

60. The scale of disruption that widespread failures in SMEs could potentially cause for the whole economy should not be understated. It is estimated that there are some 3.7 million business enterprises in the UK, with SMEs making up more than 95% of the total. Larger companies who have amassed expertise on Year 2000 issues have a valuable role to play in stimulating action on behalf of those SMEs who are their suppliers, customers, trading partners or form some other vital part of the business chain, and some have done so.[97] Indeed, many recognise that it is in their own best interests to do so. For instance, we were impressed by what Shell UK told us of their work with suppliers which involves disseminating best practice and passing on expertise.[98] Action 2000 are now working with a number of larger companies to encourage them "to share their experience to assist those companies whose preparations are less advanced"-a development which we welcome.[99]

61. Nevertheless, we obviously cannot rely solely on a few large companies to stimulate action on behalf of millions of SMEs. A more pro-active and direct approach is needed to ensure that every SME is made fully aware of the business implications of the century date change. In January 1998, Action 2000 launched its 'Millennium Bug' campaign aimed primarily at SMEs. We would have preferred to see the campaign launched earlier but our main objective now is that its message should reach those for whom it is intended. We are concerned that a major part of the campaign consists of providing information over the Internet. As ICL told us, most SMEs either do not have access to the Internet or do not have personnel with the skills to find the information or put it to use.[100] While publication on the Internet is certainly worthwhile, Action 2000's telephone helpline may reach a broader audience, but only if it is well publicised. Moreover, the helpline will only be effective if it can respond to all the demands placed upon it in terms of capacity and quality of information.

62. The BBA have developed a checklist aimed at small businesses-"a self assessment checklist to help guide businesses through the work needed to get them ready for Year 2000", which some of their members are already using as a basis for discussions with their business customers, and suggested last year to Action 2000 that the scheme could be extended to become a standard checklist.[101] We see considerable merit in this suggestion. Such a checklist could act as a useful reminder to businesses of the issues they need to consider. Perhaps more importantly, it could also provide a common reporting format thus reducing the need for businesses to respond separately to numerous requests for information on progress from, for instance, auditors, insurers, customers, bankers, shareholders, regulators or trading partners. The sooner the checklist is introduced, the more benefit it could be to businesses and those seeking information from them. We recommend that Action 2000 develop a standard checklist to enable businesses to report progress in a common form as a matter of priority.

63. Over the last few years the Government, and the DTI in particular, have put considerable resources into developing the Business Link network as a means of communicating with SMEs. As several witnesses argued, this network could now be used to reinforce the messages being sent to SMEs by other companies and Action 2000. There are also clear advantages in Action 2000 working, as it already does to some degree, in liaison with other organisations that have strong links with the SME community, such as local Chambers of Commerce. Another means of reaching businesses directly would be to include information leaflets in telephone or other utility bills which are delivered to the vast majority of SMEs. We recommend that Action 2000 treat stimulating action on the part of SMEs with the highest priority and that it works with the Business Link network and other organisations in close contact with SMEs to ensure that its message is not only sent but received.

68  Ibid. Back

69  Ev.p. 89. Back

70  Ev.pp. 88-9. Back

71  QQ. 407 and 428. Back

72  Q. 407. Back

73  eg. Ev.p. 58. Back

74  eg. Ev.p. 168. Back

75  Q. 402. Back

76  Q. 415. Back

77  Q. 430. Back

78  Q. 362. Back

79  Managing the Millennium Threat, p. 9. Back

80  Managing the Millennium Threat, para 2.1.7. Back

81  Q. 401. Back

82  Ev.p. 88. Back

83  Q. 399. Back

84  Ev.pp. 78-81. Back

85  Ev.p. 78. Back

86  Q. 390. Back

87  Ibid. Back

88  Ev.p. 89. Back

89  Q. 412. Back

90  eg Electronic Data Systems, IBM, Barclays Bank, Railtrack, Shell UK, BT, ICL, the BBC, Lloyd's of London, Sainsbury's, The Confederation of British Industry, Morgan Stanley, BNFL, GEC Alsthom, the British Bankers' Association, SmithKline Beecham, British Airways, Marks and Spencer, British Gas, and The Institute of Directors. Back

91  eg. Ev.pp. 131-3, 140 and 149. Back

92  Ev.pp. 57 and 168. Back

93  Ev.p. 140. See also Ev.pp. 132 and 149. Back

94  Ev.p. 57. Back

95  Ev.pp. 135-8. Back

96  Forum for Private Business, The Year 2000 and Computer Compliance, February 1997. Back

97  eg. Ev.p. 22. Back

98  Q. 172. Back

99  Ev.p. 22. Back

100  Ev.p. 152. Back

101  Ev.p. 109; Q.502. Back