As CFO of Mastech Corp., a $400 million information-technology company, Jeffrey McCandless finds himself putting business partners and suppliers on the chopping block these days--ready to give them the ax if they slip up. "We'll be monitoring them and making serious decisions during the next four quarters," McCandless says.
The extra scrutiny is over concerns about their ability to handle Year 2000 (Y2K) computer problems. McCandless has been supervising his company's Y2K preparations, which puts him in the same position as more than a third of CFOs, according to a survey of large (mainly Fortune 500) companies conducted by CFO magazine. He is in charge, the finance chief says, because "we face pretty severe legal ramifications if we don't do everything possible to address the problem."
Part of the business of Oakdale, Pennsylvania-based Mastech involves guiding its own client companies past 1999 painlessly. So Mastech may be more sensitive than most to the vagaries of the so-called Millennium Bug. But the company's broad view in assessing and limiting the impact of potential Y2K failures is far from unusual in Corporate America, where nearly all major corporations now have teams in place to handle Y2K-related issues. That view goes way beyond testing the computer hardware systems, software systems, and equipment containing embedded chips, which could be crippled if older, noncompliant programs misread the year 2000 as 1900. No matter who is supervising the project--in most cases, it's the chief information officer (CIO), with the CFO as an adviser--the even bigger job is preparing for the consequences of the internal and external failures that are expected to occur.
Indeed, according to the CFO survey, two of the top three Y2K concerns on the minds of finance executives are strategic worries: Their company will be unable to deliver products or services to customers, and there will be severe corporate legal liability. Those two worries appear on the lists of 72 percent and 39 percent of executives, respectively. (The third threat listed by CFOs is that their company's internal computer or mechanical systems will fail.) By now, of course, it is clear that failures will hit each industry differently, according to its particular problems and its degree of preparedness.
Utilities and health-care companies are notoriously behind, and manufacturers, retailers, and technology firms are all over the lot. Meanwhile, insurers and banks--domestically, at least--have made perhaps the greatest strides toward compliance. That is not to say banks now have it easy, of course; nearly every aspect of their operation involves computers. One survey of the reports major banks filed with the Securities and Exchange Commission in the latest third quarter shows nearly all have increased their estimates for year-2000 expenditures by 10 percent or more. BankAmerica Corp. added $50 million to its previous $500 million number, while Cleveland's National City Corp. raised its estimate 63 percent, to $65 million, citing the cost of fixing computers.
Overall, Stamford, Connecticut-based consultant Gartner Group predicts, nearly a third of bread-and-butter information systems across all industries will have missed their repair deadlines by January 2000. Interestingly, the threat to financial markets is a distant fourth among perceived Y2K threats, making the worry lists of about a quarter of the finance executives CFO surveyed.
"Advisory, Not Aloof"
In press coverage about the dangers of the Millennium Bug, CFOs are rarely cited as sources for what companies are doing. Many "think this is a computer problem that should be handled by the CIO," says William Ulrich, president of Soquel, California-based Tactical Strategy Group Inc. But "the whole Y2K project should report to the CFO," Ulrich says, "because the whole risk from Y2K translates to dollar losses that can drive a company out of business."
Finance executives who have the problem in their sights agree. "Now is not the time to sit in the backseat and allow other people to drive; I'm absolutely responsible for this," McCandless declares. At Campbell Soup Co., executive vice president and CFO Basil L. Anderson officially advises the $6.7 billion food concern's Y2K team, but he scoffs at the thought that "advisory" means "aloof." "That's like saying that if we do a bond financing, I'm an adviser," Anderson says with a laugh. CIO Roger D. Berry may be "the point person," according to Anderson, but "this is not a CIO project; it's a business initiative that has a number of business leaders involved."
Besides, Anderson says, the CIO reports to him. "So if he screws up, I've screwed up."
All the work of Y2K teams, no matter who heads them, is designed to prevent screwups. And at companies like Mastech and Campbell Soup, that's a lot of work, indeed. They are setting up intensive reporting systems, involving scores of people in multiple departments. They are sweating over every vendor, supplier, and customer in their corporate food-chain, and looking at the possibility of trouble with the Internal Revenue Service and other government agencies that may be ill-prepared--or that are charged with probing corporate Y2K-related lapses. They are allocating resources to attack the bug, and are making sure that the CEO and the board are apprised of progress. And that's even before they get to contingency planning for failures, or legal strategies to protect the company from suits. Meanwhile, the clock ticks louder every minute.
At Mastech, where the CIO also reports to McCandless, the CFO meets weekly with the company's five-person Y2K team. He hears their progress reports about the compliance of internal hardware and software systems and the surveying of vendors and customers, then takes his findings directly to the chairman and to Mastech's board. McCandless has hired Arthur Andersen LLP to review the company's efforts and check everything from computers to telephone systems and elevators. If any of Mastech's 26 worldwide locations still should be unable to do business come January 1, 2000, the company is making preparations for one specially prepared location to carry on.
At Campbell Soup, based in Camden, New Jersey, much of Anderson's strategic role has involved helping prioritize potential problem areas. "We find the most critical suppliers and test them, then work with them," he says. "Getting tomatoes, for instance, is a key supply issue." For "legal reasons," form letters asking vendors to verify their own compliance are mandatory. "But we take it a step beyond that," he adds, "by talking directly with these people and seeing what can be done" to achieve compliance and avoid surprises. The plan at Campbell, which counts more than 700 business systems affected by the Y2K issue, involves completing the review of critical systems by the beginning of this month, and checking noncritical systems by July 31. "That gives us a chance to adjust to any changes that might need to be made," Anderson says.
A Blizzard of Suits
Any CFOs who weren't paying attention to their companies' programs found themselves under the gun rather suddenly this past summer, when the SEC's Y2K disclosure requirements took effect. Before the SEC sought the statements, "a surprising number of CFOs in the Fortune 500 didn't pay attention to Y2K," says Russell Beck, an attorney with Boston law firm Epstein Becker & Green. So far, the SEC has acted only against some brokerage firms that didn't comply, but that crackdown is sure to expand.
"The risk for any corporation is that shareholders get surprised," says Mike Rescoe, senior vice president, CFO, and treasurer of PG&E Corp., a $15.7 billion energy services holding company in San Francisco. "We don't see any percentage in minimizing the impact. You buck up and live with it" by making open and honest disclosures, he says.
Other watchdogs are nipping at the finance department's heels, too. Recently, Standard & Poor's and fellow credit-rating firm Duff & Phelps Credit Rating Co. began evaluating corporate ratings with an eye to preparedness. "A company's failure to address the Y2K issue will negatively affect its operations and its ability to generate revenue and repay debt," says Georgina Fiordalisi, a Duff & Phelps analyst in New York. "To that extent, its rating would be in jeopardy."
The degree of financial threat posed by what almost certainly will be a blizzard of Y2K lawsuits is one of the great areas of speculation among companies. Few feel confident about their ability to recover damages from all the suppliers or business partners whose problems might lead to revenue losses. And a company that has even a small system failure will find the door open for legal action by customers or business partners, and by shareholders caught in the pinch.
An Insurance Quandary
Some suits are already in the courts. San Francisco-based law firm Hancock Rothert & Bunshoft LLP counts 20 cases circulating through the U.S. judicial system--naming Andersen Consulting and such software firms as Intuit Inc., Quarterdeck Corp., and Symantec Corp.
Insurance targeted directly at Y2K-noncompliance coverage is rare--and extremely expensive. Only a handful of insurers worldwide--Lloyds of London, New York-based American International Group, and Chicago-based CNA Insurance Group are three that have rolled out products in the past year--offer meaningful Y2K coverage. And the cost is considered by many to be prohibitive: generally $500,000 to purchase $1 million worth of coverage. "We decided we would rather run the risk," says Holger Huels, CFO of the U.S. operations of Boehringer Ingelheim, who scouted out premiums for the giant German pharmaceuticals company. While more carriers offer directors' and officers' coverage that includes some ramifications of Y2K problems, the policies generally don't protect against bodily injury, property damage, or other third-party claims.
That doesn't mean CFOs have to take no for an answer. One-fifth of CFOs in our survey say they have such insurance. And existing insurers may be willing to tack on a Y2K liability rider to their policies, says Jack Acosta, CFO of database software giant Sybase Inc., in Emeryville, California. "When your insurance comes up for renewal, a lot of carriers may ask you about it," he says, adding, "We made sure we had the coverage."
Many finance chiefs are working closely with the corporate counsel--not that this always spells much relief. Even Kelvin Quan, an attorney who holds the jobs of both CFO and general counsel at Alameda Alliance for Health, a Medicare HMO in San Leandro, California, finds himself perplexed by what could happen on the legal front. "I'm responsible for protecting us from liability, but also for verifications from doctors and hospitals," he notes. Health care has been among the slowest industries to move toward compliance, and that has Quan feeling out of control. "So many clear Y2K issues are tied to the health conditions of the patients," he says. "It's one thing for a database to say a patient is 102 years old instead of 2, but it's another thing if biomedical equipment or respirators fail."
His response to the foot-dragging among affiliated health-care companies has been to review every contract his organization signs, and he does not rely on promising-sounding compliance letters. His own, very specific language gets inserted into every contract. An example: "Provider assures that its computer systems and processes shall be able to accommodate and process date information later than December 31st, 1999, such that the year 2000 shall be recognized as the year 2000, rather than 1900." If physicians don't provide his organization with satisfactory information about their Y2K efforts, Quan will take Alameda's business elsewhere. But when it comes to getting hospitals to toe the line, he admits, there's only so much he can do. "In those cases," he says, "we have to rely on greater gods--state licensers, accreditations, and payors that have a bigger slice of their business pie than we do."
The CFO survey shows relatively good progress among companies surveying their own internal IT infrastructures. Most say the job is more than three-quarters complete, and only a handful are below the halfway mark in their reviews. But when it comes to surveying vendors, nearly 25 percent are in only the early stages.
Mastech's McCandless takes it as his personal responsibility to validate the compliance of major vendors when he can, checking "with customers and suppliers every 30 days to see if they're on track." He figures he now spends 20 percent of his time in meetings designed to assure himself they are keeping their promises. "I want to look at them eye- to-eye to get a feel for what they understand and how far along they are," he says. Still, he adds, the reviews have shown that "a lot of these people are nowhere close to being done." Vendors that proceed too slowly are being dropped from the rolls. One for which "we're looking for alternatives," he says, is Mastech's current telephone-system provider.
Randall Raab, assistant treasurer of Consolidated Papers Inc., a manufacturer of coated printing paper in Wisconsin Rapids, Wisconsin, is prepared to follow up a letter-writing campaign with "site audits" of the 60 financial institutions that serve it. "We would make personal visits and have them show us their Y2K tests," he says, noting that the banks did satisfy him that they would be ready for business in a year.
Mary Rolf, who is both senior vice president and CFO in charge of information systems at Minneapolis-based office-furniture-systems maker Rosemount Office Systems Inc., grills the company's most important suppliers and vendors about their Y2K readiness. So far, the results have been disappointing. "Most statements we get back are positive. Vendors don't answer the detailed questions; they just expect us to take their word for it." Like McCandless, she is looking for alternative vendors in the worst cases.
She particularly worries that "small, less-sophisticated" companies providing Rosemount with steel, bolts, and fabric won't be able to deliver products--no matter what they tell her. "I'm less concerned about customers, because they could write an order on a napkin and we'd process it," she says.
For practical reasons, about a fifth of large-company CFOs report in our survey that they will accept verbal assurances from some vendors and business partners. That's risky, particularly when vendors are in countries poorly equipped to deal with the problem, says Y2K expert William Ulrich. "Verbal agreements are worth the air they're written on," he says. "This is not just a matter of trust. It's a matter of due diligence."
CFOs in charge of remediation programs must pay attention to noncomputer equipment, too. Like the majority of finance executives answering our questionnaire, Sybase CFO Acosta is well along in reviewing the status of internal company software systems, estimating "we're 75 percent of where we need to be." He and his fellow finance chiefs in the CFO survey are far less sure, though, about telephones, switching systems, elevators, security systems, and facilities. "The problem is that you don't know which systems' embedded chips to go after," he says. "It's a big concern. We're spending a lot of our energy on that."
An IT Guy Falls Down
One compelling reason for CFO leadership in fighting the Y2K problem is that information technology departments lack the necessary strategic view of the business--a shortcoming that can lead to huge problems down the road.
Rosemount's Rolf experienced a costly disaster firsthand, when her company's since-departed IT manager took the Y2K cure upon himself. In late 1996, he spent $50,000 to date-convert the company's old databases. When the line-by-line conversion was completed in June of the following year, the company discovered the painfully upgraded software no longer met the company's business needs. "The decision to go with upgrading the current software was made in isolation, outside of a plan, [and without] investigating other options," Rolf says.
Rolf subsequently took responsibility for Y2K compliance herself, and hired an outside consultant to help develop a detailed technology plan. Rolf invested more than $250,000 in new hardware and software that would not only keep the company running past 2000, but would serve customers better. The new software schedules production, automates purchasing, and tracks shipments for Rosemount, and next year will allow customers to order office systems, get estimated prices and delivery dates, and check on order status. "Now we're completely compliant and we're pleased with the software, but we learned the hard way," she says.
"The CFO has responsibility for the fiscal health of the business, and he must be accountable for anything that threatens that," says Campbell Soup's Anderson, who estimates that the total cost of Campbell's remediation "won't exceed $50 million." He calls Y2K problems "just one example."
PG&E Corp. finance chief Mike Rescoe has vice president and CIO John Keast reporting to him, and they sit down with the energy company's six-person Y2K project team every other week in the chairman's office. "One big concern is the trading area," says Rescoe, whose company is a large trader in both natural-gas commodities and electric power. "The Y2K issue causes us to think differently about how we manage our risk. If 5 percent of your supply comes from a counterparty that can't perform for three days, that's a large piece of the market that could cost you a lot of money on a moment's notice. So we modify the way we do business by taking more positions and spreading the risk around."
With his industry late in dealing with Y2K, he admits, he spends a lot of time making motivational presentations to PG&E Corp.'s rank-and-file. "They need to hear from the people at the top about the tremendous potential for litigation," he says. "It's been a surprise to find out the extent to which you have to approach this as an internal behavioral problem." Rescoe has allocated special corporate budget resources for the project and doles that money out to operations that need it--something that has made PG&E Corp. managers rest easier. "You have to give the operational people comfort that this won't come out of their budget," he says.
"A Long Vacation In A Hot Climate"
CFOs in charge of Y2K programs must also spend time with contingency plans--although it's not a subject they will talk much about. Mastech's McCandless, in addition to arranging to have a special support office ready in case of unexpected failures, is also working on alternative information-processing plans for vulnerable worldwide operations in Canada, Europe, Singapore, Japan, Australia, South Africa, and India. "Our international offices are banking on us to come up with plans, because the U.S. is far ahead of Europe and the rest of the world in dealing with Y2K," he says.
Chicago-based software firm Cyborg Systems Inc. is taking a triage approach to shoring up its international offices. Vice president and CFO Joe Heery says the company has already taken inventory of every item of hardware and software it runs worldwide. "We ranked everything in order of importance to the business, and we're addressing the applications that we feel are most critical first," he notes. Elements that affect customers, such as Lotus Notes-based databases or network-security software, are being tested and fixed now.
One large manufacturing firm's CFO, who asked not to be identified, says his plan includes moving to manual reporting systems, warehousing inventory, and stashing emergency money. "We're looking into alternative methods for getting deliveries of raw materials and supplies," he says. "We're analyzing what we will do if customers can't pay us." He's also thinking about a "long vacation in a hot climate" next year.
If there is a positive side for CFOs trying to get their companies compliant, it is the payoff they can observe along the way. "The interesting thing for us," says Campbell Soup's Anderson, "is that there hasn't been much change in our learning since we started work. We began assessing the situation 12 months ago, and we don't see any huge new problems. That's very comforting; it gives us a sense that we're on the right track."
Bronwyn Fryer is a freelance writer based in Santa Cruz, California.