Sponsored this month by:

Go To Princeton SOFTECH

---

Abstract:

In 1996, many companies considered the "Vendor Management" portion of their Year 2000 (century date change) Project as a simple task involving the sending of Year 2000 compliance letters and the monitoring of vendor responses. It now is evident that there are many other steps involved in a comprehensive and continuous Vendor Management Process (VMP).

Objective and Benefits of Vendor Management

Most organizations use literally thousands of products from vendors (third party providers). As the Year 2000 approaches, the vendor products using or comprising computer hardware or software, microprocessors, or other similar technical or electronic components must be scrutinized to determine if these products are, or can easily become, Year 2000 compliant. Year 2000 vendor management is a task that is taking (or should have taken!) place at nearly every organzation world-wide.

Unfortunately, some organizations have considered vendor management as "too simple" a process -- creating short vendor letters requesting information on Year 2000 compliance, mailing them to vendors, and awaiting their responses. There are many other factors which need to be considered, turning the "task" of vendor management into a continuous Vendor Management "Process" (VMP).

Complexities of the VMP

Several factors make the VMP complex. The first and most obvious factor is scope - what products and vendors should be included? Certainly information systems products, such as hardware, vendor application software, operating systems, and access methods must be included.

But then there are PC hardware and software, layered ("utility") software, compilers, schedulers, tape library management systems, scanner/barcode and similar products. In addition, items such as telephone equipment and electronic office equipment should be included, as well as devices with "embedded" logic based on microprocessors, such as lab systems, process control/shop floor devices, and the other often referenced-devices in Year 2000 articles (elevators, HVAC, etc.) which are not the responsibility of most Information Systems departments.

The challenge of scope is not only in finding all these devices, but also in finding someone in your organization willing (and interested enough!) to ensure that these devices are determined to be compliant. But the hidden challenges of vendor management go far beyond scope. Everyone seems aware that a vendor inventory must take place. But the VMP must take on a more visible and complex role than simply a "point in time task".. something that only has to happen once at the beginning of a Year 2000 project. After this vendor product inventory is completed, there are five additional steps which must occur. These are the five basic, but sometimes overlooked steps to a comprehensive VMP, and the acronym to help remember them is "ALRIC".

A (Addresses)

Before or during the inventory of all in-house and vendor (third party) applications, most organizations formally or informally appoint a Vendor Management "coordinator" (VMC), someone responsible for the Vendor Management Process. One of the early roles of the VMC is to ensure that, for each vendor product, accurate and up-to-date contact names and addresses are available. Remember, some of these products and vendors may have not even been thought about for years! To accomplish this, the VMC should contact each vendor by phone, inform them of the objectives of the organization's Vendor Management Process, and then document the correct contact person and address to whom all VMP correspondence should be sent.

L (Letters)

A vendor letter should be created by the VMC, then approved by the internal legal counsel or department. Certain states or countries may have laws or guidelines regarding contractual obligations, software licensing and warranties; it is very advisable to ensure legal has reviewed the "generic" vendor letter.

Also, the vendor letter should NOT simply state, "We use your products, tell us if they are compliant". A vendor letter should include, briefly, your organization's definition of compliance, a list of specific compliance questions, and a timeframe in which you expect a response. Some of the questions which are appropriate for the vendor letter (and there are many!) are: Can you include references or evidence of your compliance status? Does you product use any "timebombs" which would prevent us from "future-testing" it with dates after the millennium? What Year 2000 solution (field expansion, windowing) do you plan to deploy? Do you correctly recognize 02/29/2000?

Remember, you probably only have time to get out one set of vendor letters during your Year 2000 assessment phase... try to get as much information as quickly as possible. Therefore make your vendor letters easy to read, easy to answer, and better yet, tell your vendors what products you have! If you include statements like, "We believe we have the following models, versions or releases of your products (but please add items from this list if you know of other product information relevant to us)..." then you increase your chances that the vendor will put your letter on the top of the list, rather in the pile with the 500 other vendor letters he has received that week!

R (Responses)

An important element of the VMP is determining how letters will be sent, and how responses will be handled. Must you keep "hardcopy" of each letter sent? Will you send your letters certified? Return receipt? How should these receipts be tracked? Where should the receipts and responses be stored? Should they be filed, scanned, and/or copied?

Again, speak with your legal advisor. In some states or countries, it may be important to store responses in a secure area. These responses might represent legal positions or extensions of original contracts, and therefore should be treated in a confidential manner. Litigation for Year 2000 may prove to be impractical if thousands of people are all seeking similar damages. But if a vendor insists, "That's not the response I sent; someone must have tampered with it," it would be prudent if your organization could demonstrate that vendor responses were not altered nor accessible to non-authorized personnel.

Lastly, the VMC should create a "digest" or spreadsheet which tracks all vendors, their products, when letters were sent and responses received, and a short comment about the nature of these responses. If your organization is coordinating the compliance of hundreds of vendors, this spreadsheet will be of tremendous benefit.

I (Interpretation)

While "A, L and R" are relatively straightforward, the remaining two steps are more complex. Once responses are received and stored, who should read them? Who should determine if answers are complete or missing? Who should determine if another letter needs to be sent? Someone with a good understanding of Year 2000 issues, or perhaps a team of people, should review and interpret the letters. An advisable process is to have a single person read all letters (initial interpretation by committee can slow the process to a crawl) and "pull" all letters that have non-obvious or questionable responses. These can be reviewed by a team; the most extreme cases can being sent to Legal for review.

In addition, many vendors may respond by saying, "See our Web page for product information." Or they may send a 200 page book or detailed list. Who will actually do the work (originally intended for the vendor) to read these books or web pages and extract the appropriate information? The VMC should proactively set up procedures so that when responses are received, organizations are not awash in information!

C (Communication)

Finally, how is all this vendor data to be passed on to the hundreds of people at an organization who need the information? Can it be condensed? Should it be sent every week or month? With hundreds of vendors and thousands of products, how can this be handled? And how will people be informed when information changes?

Consider the large organization with thousands of vendor products, used by people all over the world. Getting condensed and concise vendor information in their hands is challenging enough. But imagine if a vendor sends an urgent letter, explaining that the product they "thought was compliant" was going to crash and burn on January 1, 1998. How would the VMC know who to contact? And what if letters like these started coming in every other week? The timing and medium used for VMP communication are critical, and should be planned as early as possible in the process.

Some Final VMP Recommendations

First and foremost: the VMP is a continuous process. Vendor information frequently changes. Vendors believe products to be compliant, only to later discover they are not. Vendors commit to future dates for compliance... someone must ascertain whether these dates are met. Also, a process must exist for newly acquired products (and vendors) to enter the VMP! It is therefore advisable, perhaps every six months, to write to all vendors again with a letter stating, "You wrote us on (x) date regarding Year 2000 compliance issues; we now ask you to inform us if any of this information has changed, and to describe the nature and reason for these changes."

Second, some organizations deploy an additional step early in the VMP, called "Special Handling". There may be vendors that should be considered "critical path"... 10-20 vendors whose relationships are key to an organization, such as a major software vendor. These vendors should be processed immediately, perhaps with face-to-face meetings. Another group of vendors can be singled out as "low credibility"... vendors who historically have missed deadlines, provided defective code, or have similar "bad track records".

Finally, consider including other entities besides vendors. Outsourcers, government organizations, banks, credit/payment processors... many provide software, interfaces, and relationships that are critical to an organization's business. A letter or communication, similar in nature to the VMP letter, needs to be sent to all external entities that can affect an organization, even those with which no electronic information is shared. If you depend on a small group of suppliers, customers, shippers, brokers, or agents -- when they're struggling with a Year 2000 outage, you will likely be struggling as well!

It is an overworked cliche, but the VMP is not "rocket science". Many people have made similar statements about the Year 2000 problem itself. But the VMP must deal with so many vendors, so many dependencies, so many products; so many entities outside of your control. All of this must be handled in a time-compressed fashion, while every other organization worldwide is attempting to accomplish the same. Take the VMP head-on, put someone in charge, and get it implemented as quickly as possible. Having information is better than needing information, and successful organizations will be able to quickly make better decisions if they simply start... and start now.

Byline: Michael Cohn is the President of MDY, Inc., a Year 2000 consulting firm in Atlanta. He was formerly a Principal in IBM's Year 2000 practice in the Southeast, and is a veteran columnist for Computerworld. He can be reached at [email protected].

http://www.year2000.com/