Contingency Planning and Supply Chain Risk Analysis in SMEs:
The Case of Y2K

By

Anthony Stanger *

School of Commerce

Flinders University of South Australia

GPO Box 2100

Adelaide, South Australia 5001

Telephone: +61 8 8201 2764
Facsimile: +61 8 8201 2644
Email:

SCHOOL OF COMMERCE RESEARCH PAPER SERIES: 00-11
ISSN: 1441-3906

*The comments and suggestions of Chris Kandunias are gratefully acknowledged.

Introduction

Contingency planning and supply chain analysis are processes that can reduce an enterprises’ risk exposure to unexpected events and improve its ability to deal with any event that should arise. Enterprises of all sizes can benefit from these processes. Unfortunately though, because of the potential resource poverty of small and medium enterprise (SME) and perceptions of owner-managers that they are less likely to be affected by unexpected events, they may be less inclined to conduct contingency planning and supply chain analysis.

This paper considers the merits and processes of contingency planning and supply chain analysis in SMEs using Y2K as an example of a source of risk and threat. The potential impact of Y2K on SMEs is discussed, followed by a guide on the application of contingency planning and supply chain analysis to SMEs in the context of the Y2K threat. This is followed by anecdotal evidence on possible reasons for the seemingly low impact of Y2K on SMEs. Finally, the potential longer-term benefits of any Y2K compliance work undertaken, including contingency planning and supply chain analysis are outlined.

Potential Impact of Y2K on SMEs

At a small enterprise conference in Melbourne in 1999, an international speaker from the Caribbean commented on the seriousness with which the Y2K bug was being taken in his region. He suggested that young entrepreneurs thought that Y2K was a new rock band debuting 1 January 2000, small business owners believed it is a protection racket Mafia and large business considered it a conspiracy created by the international computer and software manufacturers.

Fortunately, the issue had been given serious consideration here with Australia being rated in the group of countries, including the US, UK and Canada, to be best prepared for the Y2K problem (Gilbey, 1999). Despite this, surveys suggested that a significant number of firms would not be Y2K compliant. For example, an ABS survey of 6,500 firms released in December 1998 indicated that although 92% of firms were aware of the problem, only 57% had taken or intended to take any action. The story was even grimmer for small businesses with an Australian Banker’s Association survey in April 1998 indicating 75% had done nothing about the problem and 50% were not planning to. One state government estimated that up to 10 per cent of SMEs may fail (Hayes, 1998). This was likely to have a major flow-on effect to other SMEs because of the dependence of SMEs on cash flow from business operations for survival due to limited financing opportunities. Y2K events or failures either internal to the SME or externally in the supply chain, would impact by disrupting cash flow, causing liquidity pressure and increasing the likelihood of business failure.

Many business managers erroneously believed the Y2K problem was restricted to mainframe computer systems and plant and equipment. Notwithstanding that PCs were only 15% of the overall Y2K problem (Business Victoria, 1999), many small businesses used desktop computers. PCs were considered to be highly vulnerable as evidenced by the announcement by software manufacturing giant Microsoft that Windows 98 software had 11 possible date and time malfunctions if the software was not upgraded (Business Victoria, 1999).

PCs may have interpreted the date incorrectly and caused the computer to shut down, produce erroneous information or inaccurate calculations. The day-to-day management processes most at risk in a small business included transactions such as invoices, purchase orders and stock replenishment orders; calculations of debtors and creditors, interest rates, mortgages and lease payments; payroll, personnel records, annual and long service leave entitlements, and superannuation; use-by dates for warehouse and shelf stock; and the supply chain for goods and services bought and sold. Other common appliances or pieces of equipment that contain an embedded chip that could also have been affected included cash registers, telephone and answering machines and faxes, credit card and EFTPOS terminals. It is because of this risk exposure that many SMEs were particularly vulnerable due to the possible impact on operations and cash flow.

In addition, SMEs with electronic plant, assembly and manufacturing equipment, and environmental control and building security systems may have also been exposed to considerable Y2K difficulties. Occupational health and safety issues causing injury or death could have arisen. SMEs that use engineering, production, and manufacturing equipment were at risk as these systems were likely to contain embedded systems to plan, measure and control processes. Examples of system failures and the consequences included automatic safety guards on manufacturing equipment, equipment with rotating or reciprocating functions such as industrial lathes and diesel engines (which are potentially dangerous due to inflammable fuels such as diesel, rupturing of high pressure hoses or pipes due to past replacement date, and the leaking of exhaust fumes due to gaskets not being replaced at the correct time) and automated mechanisms to control batch mixing of plastic or rubber that could include consideration of time, pressure and temperature. Even backup equipment may not have worked as a number of systems may have been affected simultaneously (Victorian WorkCover Authority, 1999).

Even as the millennium drew to a close, owner-managers of non-compliant SMEs had limited time to either implement or continue with a program of assessment, updating and testing Y2K compliance. This was particularly important in manufacturing industries with regard to occupational health and safety as a workplace accident causing injury or death could have resulted in legal liability. The longer that owner-managers waited to take corrective action, the greater the delay and expense associated with obtaining expert help. Additionally, the Insurance Council of Australia pointed out business could not assume that Y2K claims would be covered as insurance is designed for unexpected events and the Y2K problem had been known for some time. Only businesses that had satisfied a full compliance check by an independent organisation may have been able to get insurance coverage for claims arising from Y2K (Lawson, 1999).

Most attention in the media and literature focused on the potential internal impact of the Y2K problem on business and the importance of a compliance program of assessment, correction and testing of compliance. Relatively little attention had been given to the importance and process of contingency planning and the assessment and treatment of risk a business faced from the external environment through its supply chain. These two Y2K issues were very important as no matter how thorough a compliance program had been, there was no certainty that a firm would not be affected from within, let alone externally by firms in the supply chain that may themselves be affected by Y2K.

Contingency Planning

In general, a contingency plan should identify the risks and potential consequences of problems occurring and provide options for dealing with them. In the context of Y2K, the problems that should have been considered were both internal to the SME such as equipment failure, as well as external in the supply chain of goods and services vital to the enterprise like resources, power, gas water, public transport and communications. With regard to internal operations of the business, the owner needed to plan according to the state of Y2K compliance preparedness. This involved considering whether the business had an old operating system, which may or may not have been fully converted or updated, or a new system, and the degree of testing that had been carried out to determine the extent of Y2K compliance. Contingency planning effectively would have helped to minimise the damage should an event have occurred and assist in getting the business operation back to normal as soon as possible after an event. Contingency planning was particularly important for SMEs and firms in their supply chain that were not Y2K prepared (Montgomery, 1999).

A general guide of contingency planning for SMEs, as well as other businesses, that should have been followed includes the following steps.

  1. Establishment of a team and chain of command with the head of the team responsible for deciding when to act. In the case of an SME, the owner-manager was likely to take this role and the chain of command would be relatively simple. In this situation, the owner-manager would also coordinate the implementation of the contingency plan. In order to do so, the owner-manager would need to: be present in the business if operating during a period of potential disruption (e.g. New Year’s Eve 1999 and other critical periods) or when re-opening immediately after; have prepared contact details of all staff, suppliers and providers of services and utilities; have identified the skills and attributes of staff and those that are essential and non essential; and ensure effective communication.
  1. Identification of business processes critical to business operations (e.g. accounting software, manufacturing plants); and identification of the critical resources needed to continue operations (e.g. raw materials and personnel).
  1. Outline of objectives of the plan (e.g. what could go wrong, what effects it would have on the business, alternatives – continue normal operations, downgrade operations, abort the function as quickly and safely as possible); the expected duration of the plan (e.g. how long it was anticipated before normal operations resume); and the estimated cost of the plan (e.g. this could be most accurately determined at the completion of the contingency planning process).
  1. Establishment of a criteria for implementing the plan or some of its elements (e.g. serious system failure or inability to meet planned delivery dates); and procedures for implementing the plan (a list of the sequence of actions necessary to move to contingency operating mode).
  1. Description of the roles, responsibilities and authority of various staff (e.g. who would make the decisions and who would do what). Staff would need to be notified so that only essential staff was present. An emergency freecall number with a recorded message could have been established for staff to call about the status of the business. However, in the event of a disruption to communications, alternative courses of action should have been planned in accordance with the extent of the failure i.e. internal, local or general.
  1. Standard operating procedures (e.g. detail how things would be done while the business was in contingency operating mode until things returned to normal). This was the core of the contingency plan. It may have included arranging alternative modes of communication with major suppliers and customers such as a freecall number or satellite phone, staff couriered messages or meetings at pre-designated times and places. Work could have been rescheduled around the most critical Y2K periods to maximise the availability of staff in dealing with any problems. Holiday rosters may have been scheduled around these times.

7.Resources required to operate in contingency mode (e.g. raw materials stockpile and essential staff). Depending on the type of business and its supply chain, levels of inputs and outputs could be varied to cushion the effects of a disruption in the flow of stocks from suppliers. If the business was switched to a manual mode of operation, extra inputs may have been required. In selecting essential staff for the Y2K period, a note of the staff involved in the most critical aspects of the business should have been made and allowed for in any recovery period.

  1. Criteria for returning to normal operating mode (e.g. what triggered a return to normal business operations - functioning of equipment, resumption of power, communications or the supply of resources); procedures for returning to normal operating mode (e.g. startup procedures, who should be advised - clients, suppliers and staff); and procedures for recovering lost or damaged data, (e.g. may have needed to revert to manual operations).
  1. Procedures for evaluating the plan (e.g. noting any related plans that may have already existed - information resources, emergency plans, contingency plans, disaster recovery plans or standing operating procedures); testing the plan (e.g. assume there was a Y2K non-compliance issue and test whether the plan could cope with the event – before testing data a back-up should have been made); and revising the plans (Business Victoria, 1999, pp. 13-5).

This contingency planning process should have been carried out after attempting to test the existing operating system. The process would have been aided by an assessment of the risks inherent in the firm’s supply chain.

Supply Chain Risk

An enterprise’s supply chain is composed of the commercial links between suppliers and customers within the business, as well as their interdependence and can represent considerable commercial risk for some businesses. In the context of Y2K, the supply chain represented a firm’s external exposure to Y2K related events that could have involved the interruption of the supply of necessary resources and inputs as well purchase orders from customers. The potential for litigation emphasised the importance careful consideration of contracts with clients and customers.

The exposure of an SME to supply chain risk was likely to be influenced by the industry in which it operates. The likely affect on firms in various industries was:

  • Most likely to be affected - education, healthcare, farming and agriculture and food processing;
  • Next worse affected - chemical processing, transportation, legal medical practices, construction and hospitality;
  • Less affected - likely to be retail, discrete manufacturing, publishing, biotechnology and consulting; and
  • Least affected - are likely to be insurance, investment services and banking (Gilbey, 1999).

SMEs that import or export their goods or services may also been exposed to additional supply chain risk according to the general level of Y2K preparedness of the countries involved:

  • Worst affected – Cambodia, China, Indonesia, Philippines, Thailand and Vietnam;
  • Next worst affected – Japan, Malaysia and North Korea;
  • Less affected – New Zealand, Singapore, south Korea and Taiwan; and
  • Least affected – Australia, Canada, Ireland, Switzerland, Netherlands, UK and USA (Gilbey, 1999).

The extent of supply chain risk exposure faced by Australian firms was likely to be significant with the prediction that serious interruptions to imports and exports were likely to have been experienced by firms with major trading partners such as Indonesia, China and Malaysia due to their poor level of Y2K preparedness (Hepworth and Connors, 1999).

In Australia, Business Victoria (1999, pp. 8-11) outlines a number of steps by which supply chain risk may have been assessed and addressed:

  1. Listing suppliers and customers

A list of the firm’s suppliers and customers should have been composed, being sure to include the most significant businesses if not all of them. This was obtainable from computer-based accounting systems that many small businesses have, by printing a list of creditors (suppliers) and debtors (customers) with contact details (name and address). Alternatively, the information may been extracted from a manual accounting system through records of the last 12 months of activity.

  1. Reliance on suppliers and customers

The level of risk that each supplier and customer posed to the business in the event that they should cease supplying the business or buying from it due to a Y2K event should have been assessed. The impact on the business could be determined by considering the number and size of transactions that had occurred over the past year with suppliers and customers. For many businesses, a small number of suppliers provide the key goods or services used by a business and equally, a small number of customers order the majority of goods or services from a small business.

  1. Risk represented by suppliers and customers

Assign a level of risk or exposure to these supply links as may be done with regard to operating systems and equipment. A useful guide was standard SAA/SNZHB104:1997 produced by Standards Australia which outlined four categories of Y2K exposure in decreasing order of severity as Fatal, Critical, Manageable and Marginal. Broadly, suppliers of goods or services that the business relied on heavily and whose failure would have had a fatal or critical impact fall into the former two categories. Suppliers from whom the firm purchased infrequently and /or in small quantities or that would have had a minimal effect on the business if they failed to supply due to Y2K should have been categorised as manageable or marginal. This standard was available from the Standards Australia website or from the National Sales Centre on 1300 654 646. The ‘Fatal’ or ‘Critical’ suppliers should have been contacted first.