oversight

Year 2000 Computing Crisis: Success Depends Upon Strong Management and Structured Approach

Published by the Government Accountability Office on 1997-09-25.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on Public Safety and
                          Administration, Committee on Appropriations, House of
                          Delegates, State of Maryland


For Release on Delivery
Expected at
3 p.m.
                          YEAR 2000 COMPUTING
Thursday,
September 25, 1997        CRISIS

                          Success Depends Upon
                          Strong Management and
                          Structured Approach
                          Statement of Joel C. Willemssen
                          Director, Information Resources Management
                          Accounting and Information Management Division




GAO/T-AIMD-97-173
                       Mr. Chairman and Members of the Committee:

                       I am honored to be here today and look forward to sharing with Maryland
                       lawmakers the perspective of the U.S. General Accounting Office on
                       addressing one of the most far-reaching technology issues of the computer
                       age: the impact of the year 2000 on automated systems. This issue has
                       received a great deal of attention—and deservedly so. The upcoming
                       change of century poses significant risks to virtually all functions, public
                       and private, that rely on computer systems. Because of its potential effect
                       on federal operations, the Year 2000 problem has been designated one of
                       GAO’s high-risk areas.1


                       The potential impact on state government is likewise immense. As in the
                       private and federal sectors, there is much that needs to be done if states
                       are to avoid the problems that will almost inevitably follow from systems
                       that have not been renovated, replaced, or retired. Many of the state
                       services on which your constituents depend emanate from automated
                       systems; investing in making these systems what is called Year 2000
                       compliant is absolutely necessary to avoid the inevitable chaos that will
                       result from systems that have not been converted.

                       Most of my presentation to you today will consist of guidelines for how to
                       go about addressing the Year 2000 problem. First, however, a quick look at
                       what the problem is, and why it happened.


                       For the past several decades, computer systems have typically used two
The Problem: 2000 Is   digits to represent the year, such as “97” for 1997, in order to conserve
Not 1900               electronic space and reduce operating costs. In this format, however, 2000
                       is indistinguishable from 1900 because both are represented as “00.” As a
                       result, if not modified, computer systems or applications that use dates or
                       perform date- or time-sensitive calculations may generate incorrect results
                       beyond 1999.

                       Year 2000-related problems are not merely hypothetical; they have already
                       occurred. An automated Department of Defense information system
                       erroneously deactivated 90,000 inventoried items as the result of an
                       incorrect date calculation; correcting the error took 400 hours of work.

                       Who could be affected? Virtually everyone. Every program that provides
                       benefits in any way is subject to these problems because they all inevitably

                       1
                        High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997).



                       Page 1                                                                     GAO/T-AIMD-97-173
                 rely on age, date of birth, or some other kind of date-sensitive data in
                 determining eligibility. Here’s how: Suppose a recipient of a particular
                 state benefit reaches eligibility at age 65. If born in 1930, eligibility began
                 in 1995. Yet if, in 2000, an uncorrected computer system reads the current
                 date of “00” as 1900, the recipient would be seen as negative 30 years
                 old—not even born yet. As a result, benefits that had been received for 5
                 years could cease, because the system would judge the individual to be
                 ineligible.

                 Younger citizens would likewise be affected. If someone born in 1984
                 seeks to obtain a driver’s license in 2000, at age 16, he or she had better
                 hope that the system used by the motor vehicles department has been
                 converted. Otherwise, when “00” is read as 1900, the teenager will be seen
                 as negative 84 years old—hardly ready to drive.


                 Mr. Chairman, correcting the problem—in the State of Maryland as
Correcting the   elsewhere—will be labor-intensive and time-consuming; it must also be
Problem          accomplished while systems continue to operate. Systems may well have
                 been designed and developed 20 to 25 years ago; they may have used a
                 variety of computer languages—many of them old or obsolete—and
                 documentation may be poor. Typical systems contain tens or hundreds of
                 computer programs, each with thousands, tens of thousands, or even
                 millions of lines of software code.

                 Examining software code for date format problems, and making the
                 necessary changes, is why the process is so time-consuming. The systems
                 also typically have numerous components—hardware, operating systems,
                 communications applications, and database software—that are likewise
                 affected by the date problem. Accordingly, regardless of some vendor
                 claims, no one single solution exists.

                 States will need to be careful to ensure that incoming data from any
                 source external to a particular system is Year 2000 compliant—whether
                 that external source be a federal system, one from another state, the
                 private sector, or even another system within the same state. It will be
                 necessary to communicate with all exchange partners to ascertain
                 whether the systems through which data are received have been made
                 Year 2000 compliant. Where this is not the case, appropriate bridges will
                 need to be developed to safeguard converted state systems from being
                 corrupted by exposure to data from noncompliant systems.




                 Page 2                                                        GAO/T-AIMD-97-173
An important point to remember in deciding how to approach the overall
problem is that while the solution may be tedious to carry out, the
challenge is not primarily technical, but managerial. That’s why a main
predictor of success will be an organization’s ability to harness strong
leadership and program management capabilities. Heads of organizational
units must communicate the importance of Year 2000 compliance to
employees and work closely with the chief information officer or
equivalent.

Over the past year we at GAO have evaluated plans for addressing the year
2000 at several federal departments or agencies, including the Department
of Veterans Affairs’ Veterans Benefits Administration, the Department of
Defense, and the Department of Health and Human Services’ Health Care
Financing Administration. Several other reviews are ongoing. We are
finding that, in many instances, organizations need to improve their
management of information technology. Especially in cases in which there
is little experience in dealing with large-scale software conversion or
systems development projects, it is important that tested, structured
systems development and program management approaches be followed.

GAO has developed a guide that constitutes a framework for organizations
to use in assessing their capability to achieve Year 2000 compliance.2
Released as an exposure draft in February and in final just last week, it
provides information on the scope of the challenge and offers a structured,
step-by-step approach for reviewing the adequacy of an organization’s
planning and management of its Year 2000 program. The guide draws on
the work of the federal Chief Information Officers Council Subcommittee
on Year 2000, and incorporates guidance and practices identified by
leading information technology organizations. I have copies with me today
that I would be happy to leave with you.

The guide is divided into five sections that correspond with the five phases
that we see representing a Year 2000 program. Before going into greater
depth for each phase, I’d like to first describe them in broad terms. The
phases are awareness, assessment, renovation, validation, and
implementation. Attached to my statement today—and illustrated on my
two presentation boards—are representations of both the Year 2000
program phases and a timeline showing the duration of each phase.

Phase 1, AWARENESS, encompasses problem definition and executive
support and sponsorship; the Year 2000 team is assembled and an overall

2
 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, September 1997).



Page 3                                                                    GAO/T-AIMD-97-173
                       strategy developed. In phase 2, ASSESSMENT, the severity of potential
                       failures from uncorrected systems is gauged, inventories of systems are
                       conducted, and strategies for implementing necessary changes are
                       developed. Phase 3 is RENOVATION, in which technical system elements
                       are converted or replaced. In phase 4, VALIDATION, corrected systems
                       are tested. Finally, phase 5 is IMPLEMENTATION: corrected systems
                       are put into operation.

                       Management of the overall Year 2000 program and its individual projects is
                       ongoing, throughout all phases. The program should be planned and
                       managed as a single, large information-systems project. Along with
                       planned monitoring, policies and procedures that must be in place include
                       quality assurance, risk management, scheduling and tracking, and
                       budgeting.



Year 2000 Program
Phases: A Structured
Approach

Awareness              As I mentioned earlier in the context of leadership, awareness is a critical
                       first step. Many people who may have heard something about a Year 2000
                       computer problem do not yet fully understand what it’s about and why it
                       matters. It is imperative that state employees understand this. Also in this
                       phase, a specific unit within the overall organization is identified to take
                       the lead in correcting the problem. Senior state information technology
                       specialists, in concert with the project teams, need to select a workable
                       approach to the problem, examine the existing information resources
                       management infrastructure, and obtain needed resources.

                       More specifically, during this phase an organization should focus its
                       energies on defining the Year 2000 problem, assessing the adequacy of
                       program management capabilities, developing an overall strategy,
                       appointing a program manager, and establishing a program office.


Assessment             The main thrust of assessment is separating the mission-critical
                       systems—which must be converted or replaced—from important ones
                       that should be converted or replaced and marginal ones that may be
                       addressed now or deferred. It is important to remember that the Year 2000



                       Page 4                                                      GAO/T-AIMD-97-173
             problem is primarily a business problem, not just an issue of information
             technology. This is why it is essential to assess the impact of potential
             Year 2000-induced system failures on core business functions and
             mission-critical processes.

             To determine specifically what must be done and when, it is essential to
             inventory information systems in each business area, assign priority to
             individual systems, establish project teams for business areas and major
             systems, and develop a program plan. Organizations should also start
             developing overall validation strategies and testing plans, and identifying
             and acquiring tools. In addition, in order to ensure the continuity of core
             business processes should renovations or replacements not be completed
             in time, realistic contingency plans should be developed for
             mission-critical systems. Finally, assessments also need to include other
             systems that affect the business, such as telephone switching systems.


Renovation   This phase deals with making actual changes, whether eliminating,
             converting, or replacing hardware and software, and documenting those
             changes. In all cases, it will be important to consider the complex
             interdependencies among systems and applications. All changes also need
             to be consistent throughout the organization, and information about
             changes clearly disseminated to users.

             In addition to the conversion of selected applications and related system
             components, the organization must also document code and system
             changes and track and measure renovation processes.


Validation   The validation phase may well take over a year to complete, and consume
             up to half of the Year 2000 program’s budget and resources. This is due to
             the complex interrelationships among multiple applications, databases,
             and operating systems. Yet this is precisely why testing and validation are
             so essential: It is the only way to ensure that changes expected to work do
             in fact work. It will be important for program managers to satisfy
             themselves that their testing procedures are indeed up to this challenge,
             that their results can be trusted.

             During this phase, organizations should document test plans and
             schedules; develop a strategy for managing testing of contractor-converted
             systems; implement a Year 2000 test facility; perform system testing; and




             Page 5                                                     GAO/T-AIMD-97-173
                 define, collect, and use test measurements for managing the validation
                 process.


Implementation   Implementing Year 2000 compliant systems and their components requires
                 extensive integration and acceptance testing to ensure that all components
                 perform as needed in a heterogeneous operating environment. In addition,
                 since not all components will be converted or replaced simultaneously,
                 organizations may for a time operate with a mix of Year 2000 compliant
                 and noncompliant systems. To reduce risk as systems are converted or
                 replaced, it may be wise to operate in a parallel processing mode for a
                 period for selected systems—using old and new systems side-by-side
                 simultaneously—so that this redundancy may act as a fail-safe mechanism
                 until it is clear that all changed systems are operating correctly.


                 In closing, Mr. Chairman, I would like to thank you for inviting me to
                 speak here today. The Year 2000 problem is serious and could well
                 become a crisis for any organization—public or private—that fails to take
                 its demands seriously. However, with sustained effort, it can—and
                 must—be addressed. I would be pleased to respond to any questions that
                 you or other Delegates may have at this time.




                 Page 6                                                    GAO/T-AIMD-97-173
Page 7   GAO/T-AIMD-97-173
Attachment I

Year 2000 Program Phases



   GAO         Year 2000 Program Phases


                                                           • Ensure executive support
                                            Awareness      • Spread word
                                                           • Establish team

                                                           •   Assess impact
                                                           •   Inventory systems
                                           Assessment      •   Prioritize scheduled renovations
                                                           •   Develop validation strategies
                                                           •   Address data exchange issues

               Program/Project                             • Convert/replace/retire systems
               Management                  Renovation
                                                           • Modify interfaces



                                            Validation     • Implement test facility and tools
                                                           • Test systems



                                          Implementation   • Put changed systems into operation




                                 Page 8                                                  GAO/T-AIMD-97-173
Attachment II

Year 2000 Milestones



    GAO          Year 2000 Milestones


           Awareness




                              Assessment




                                               Renovation




                                                                     Validation and Implementation


     J F M A M J J A S O N D J F M A M J J A S O N D J F M A M J J A S O N D J F M A M J J A S O N D


                1996                 1997                    1998                      1999




(511435)                           Page 9                                                GAO/T-AIMD-97-173
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested