United States General Accounting Office GAO Testimony Before the Subcommittee on Public Safety and Administration, Committee on Appropriations, House of Delegates, State of Maryland For Release on Delivery Expected at 3 p.m. YEAR 2000 COMPUTING Thursday, September 25, 1997 CRISIS Success Depends Upon Strong Management and Structured Approach Statement of Joel C. Willemssen Director, Information Resources Management Accounting and Information Management Division GAO/T-AIMD-97-173 Mr. Chairman and Members of the Committee: I am honored to be here today and look forward to sharing with Maryland lawmakers the perspective of the U.S. General Accounting Office on addressing one of the most far-reaching technology issues of the computer age: the impact of the year 2000 on automated systems. This issue has received a great deal of attention—and deservedly so. The upcoming change of century poses significant risks to virtually all functions, public and private, that rely on computer systems. Because of its potential effect on federal operations, the Year 2000 problem has been designated one of GAO’s high-risk areas.1 The potential impact on state government is likewise immense. As in the private and federal sectors, there is much that needs to be done if states are to avoid the problems that will almost inevitably follow from systems that have not been renovated, replaced, or retired. Many of the state services on which your constituents depend emanate from automated systems; investing in making these systems what is called Year 2000 compliant is absolutely necessary to avoid the inevitable chaos that will result from systems that have not been converted. Most of my presentation to you today will consist of guidelines for how to go about addressing the Year 2000 problem. First, however, a quick look at what the problem is, and why it happened. For the past several decades, computer systems have typically used two The Problem: 2000 Is digits to represent the year, such as “97” for 1997, in order to conserve Not 1900 electronic space and reduce operating costs. In this format, however, 2000 is indistinguishable from 1900 because both are represented as “00.” As a result, if not modified, computer systems or applications that use dates or perform date- or time-sensitive calculations may generate incorrect results beyond 1999. Year 2000-related problems are not merely hypothetical; they have already occurred. An automated Department of Defense information system erroneously deactivated 90,000 inventoried items as the result of an incorrect date calculation; correcting the error took 400 hours of work. Who could be affected? Virtually everyone. Every program that provides benefits in any way is subject to these problems because they all inevitably 1 High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997). Page 1 GAO/T-AIMD-97-173 rely on age, date of birth, or some other kind of date-sensitive data in determining eligibility. Here’s how: Suppose a recipient of a particular state benefit reaches eligibility at age 65. If born in 1930, eligibility began in 1995. Yet if, in 2000, an uncorrected computer system reads the current date of “00” as 1900, the recipient would be seen as negative 30 years old—not even born yet. As a result, benefits that had been received for 5 years could cease, because the system would judge the individual to be ineligible. Younger citizens would likewise be affected. If someone born in 1984 seeks to obtain a driver’s license in 2000, at age 16, he or she had better hope that the system used by the motor vehicles department has been converted. Otherwise, when “00” is read as 1900, the teenager will be seen as negative 84 years old—hardly ready to drive. Mr. Chairman, correcting the problem—in the State of Maryland as Correcting the elsewhere—will be labor-intensive and time-consuming; it must also be Problem accomplished while systems continue to operate. Systems may well have been designed and developed 20 to 25 years ago; they may have used a variety of computer languages—many of them old or obsolete—and documentation may be poor. Typical systems contain tens or hundreds of computer programs, each with thousands, tens of thousands, or even millions of lines of software code. Examining software code for date format problems, and making the necessary changes, is why the process is so time-consuming. The systems also typically have numerous components—hardware, operating systems, communications applications, and database software—that are likewise affected by the date problem. Accordingly, regardless of some vendor claims, no one single solution exists. States will need to be careful to ensure that incoming data from any source external to a particular system is Year 2000 compliant—whether that external source be a federal system, one from another state, the private sector, or even another system within the same state. It will be necessary to communicate with all exchange partners to ascertain whether the systems through which data are received have been made Year 2000 compliant. Where this is not the case, appropriate bridges will need to be developed to safeguard converted state systems from being corrupted by exposure to data from noncompliant systems. Page 2 GAO/T-AIMD-97-173 An important point to remember in deciding how to approach the overall problem is that while the solution may be tedious to carry out, the challenge is not primarily technical, but managerial. That’s why a main predictor of success will be an organization’s ability to harness strong leadership and program management capabilities. Heads of organizational units must communicate the importance of Year 2000 compliance to employees and work closely with the chief information officer or equivalent. Over the past year we at GAO have evaluated plans for addressing the year 2000 at several federal departments or agencies, including the Department of Veterans Affairs’ Veterans Benefits Administration, the Department of Defense, and the Department of Health and Human Services’ Health Care Financing Administration. Several other reviews are ongoing. We are finding that, in many instances, organizations need to improve their management of information technology. Especially in cases in which there is little experience in dealing with large-scale software conversion or systems development projects, it is important that tested, structured systems development and program management approaches be followed. GAO has developed a guide that constitutes a framework for organizations to use in assessing their capability to achieve Year 2000 compliance.2 Released as an exposure draft in February and in final just last week, it provides information on the scope of the challenge and offers a structured, step-by-step approach for reviewing the adequacy of an organization’s planning and management of its Year 2000 program. The guide draws on the work of the federal Chief Information Officers Council Subcommittee on Year 2000, and incorporates guidance and practices identified by leading information technology organizations. I have copies with me today that I would be happy to leave with you. The guide is divided into five sections that correspond with the five phases that we see representing a Year 2000 program. Before going into greater depth for each phase, I’d like to first describe them in broad terms. The phases are awareness, assessment, renovation, validation, and implementation. Attached to my statement today—and illustrated on my two presentation boards—are representations of both the Year 2000 program phases and a timeline showing the duration of each phase. Phase 1, AWARENESS, encompasses problem definition and executive support and sponsorship; the Year 2000 team is assembled and an overall 2 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, September 1997). Page 3 GAO/T-AIMD-97-173 strategy developed. In phase 2, ASSESSMENT, the severity of potential failures from uncorrected systems is gauged, inventories of systems are conducted, and strategies for implementing necessary changes are developed. Phase 3 is RENOVATION, in which technical system elements are converted or replaced. In phase 4, VALIDATION, corrected systems are tested. Finally, phase 5 is IMPLEMENTATION: corrected systems are put into operation. Management of the overall Year 2000 program and its individual projects is ongoing, throughout all phases. The program should be planned and managed as a single, large information-systems project. Along with planned monitoring, policies and procedures that must be in place include quality assurance, risk management, scheduling and tracking, and budgeting. Year 2000 Program Phases: A Structured Approach Awareness As I mentioned earlier in the context of leadership, awareness is a critical first step. Many people who may have heard something about a Year 2000 computer problem do not yet fully understand what it’s about and why it matters. It is imperative that state employees understand this. Also in this phase, a specific unit within the overall organization is identified to take the lead in correcting the problem. Senior state information technology specialists, in concert with the project teams, need to select a workable approach to the problem, examine the existing information resources management infrastructure, and obtain needed resources. More specifically, during this phase an organization should focus its energies on defining the Year 2000 problem, assessing the adequacy of program management capabilities, developing an overall strategy, appointing a program manager, and establishing a program office. Assessment The main thrust of assessment is separating the mission-critical systems—which must be converted or replaced—from important ones that should be converted or replaced and marginal ones that may be addressed now or deferred. It is important to remember that the Year 2000 Page 4 GAO/T-AIMD-97-173 problem is primarily a business problem, not just an issue of information technology. This is why it is essential to assess the impact of potential Year 2000-induced system failures on core business functions and mission-critical processes. To determine specifically what must be done and when, it is essential to inventory information systems in each business area, assign priority to individual systems, establish project teams for business areas and major systems, and develop a program plan. Organizations should also start developing overall validation strategies and testing plans, and identifying and acquiring tools. In addition, in order to ensure the continuity of core business processes should renovations or replacements not be completed in time, realistic contingency plans should be developed for mission-critical systems. Finally, assessments also need to include other systems that affect the business, such as telephone switching systems. Renovation This phase deals with making actual changes, whether eliminating, converting, or replacing hardware and software, and documenting those changes. In all cases, it will be important to consider the complex interdependencies among systems and applications. All changes also need to be consistent throughout the organization, and information about changes clearly disseminated to users. In addition to the conversion of selected applications and related system components, the organization must also document code and system changes and track and measure renovation processes. Validation The validation phase may well take over a year to complete, and consume up to half of the Year 2000 program’s budget and resources. This is due to the complex interrelationships among multiple applications, databases, and operating systems. Yet this is precisely why testing and validation are so essential: It is the only way to ensure that changes expected to work do in fact work. It will be important for program managers to satisfy themselves that their testing procedures are indeed up to this challenge, that their results can be trusted. During this phase, organizations should document test plans and schedules; develop a strategy for managing testing of contractor-converted systems; implement a Year 2000 test facility; perform system testing; and Page 5 GAO/T-AIMD-97-173 define, collect, and use test measurements for managing the validation process. Implementation Implementing Year 2000 compliant systems and their components requires extensive integration and acceptance testing to ensure that all components perform as needed in a heterogeneous operating environment. In addition, since not all components will be converted or replaced simultaneously, organizations may for a time operate with a mix of Year 2000 compliant and noncompliant systems. To reduce risk as systems are converted or replaced, it may be wise to operate in a parallel processing mode for a period for selected systems—using old and new systems side-by-side simultaneously—so that this redundancy may act as a fail-safe mechanism until it is clear that all changed systems are operating correctly. In closing, Mr. Chairman, I would like to thank you for inviting me to speak here today. The Year 2000 problem is serious and could well become a crisis for any organization—public or private—that fails to take its demands seriously. However, with sustained effort, it can—and must—be addressed. I would be pleased to respond to any questions that you or other Delegates may have at this time. Page 6 GAO/T-AIMD-97-173 Page 7 GAO/T-AIMD-97-173 Attachment I Year 2000 Program Phases GAO Year 2000 Program Phases • Ensure executive support Awareness • Spread word • Establish team • Assess impact • Inventory systems Assessment • Prioritize scheduled renovations • Develop validation strategies • Address data exchange issues Program/Project • Convert/replace/retire systems Management Renovation • Modify interfaces Validation • Implement test facility and tools • Test systems Implementation • Put changed systems into operation Page 8 GAO/T-AIMD-97-173 Attachment II Year 2000 Milestones GAO Year 2000 Milestones Awareness Assessment Renovation Validation and Implementation J F M A M J J A S O N D J F M A M J J A S O N D J F M A M J J A S O N D J F M A M J J A S O N D 1996 1997 1998 1999 (511435) Page 9 GAO/T-AIMD-97-173 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with "info" in the body to: firstname.lastname@example.org or visit GAO’s World Wide Web Home Page at: http://www.gao.gov PRINTED ON RECYCLED PAPER United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested
Year 2000 Computing Crisis: Success Depends Upon Strong Management and Structured Approach
Published by the Government Accountability Office on 1997-09-25.
Below is a raw (and likely hideous) rendition of the original report. (PDF)