United States General Accounting Office GAO Testimony Before the National Commission on Restructuring the Internal Revenue Service For Release on Delivery Expected at 9 a.m. YEAR 2000 COMPUTING Thursday, February 27, 1997 CRISIS Risk of Serious Disruption to Essential Government Functions Calls for Agency Action Now Statement of Joel C. Willemssen Director, Information Resources Management Accounting and Information Management Division GAO/T-AIMD-97-52 Members of the Commission: As you know, the upcoming change of century poses serious risks to virtually all functions—public and private—that rely on computer systems. This year 2000 computing problem has received a great deal of attention, and deservedly so. The area has recently been added to our list of high-risk issues because of its potential for widespread adverse impact on government operations. As in the private sector, there is much that needs to be done if the federal government is to avoid the disruption of important services on which millions of Americans depend—and, fortunately, much that can be done. I am pleased to share with you today information gathered from numerous sources about the steps agencies can take to reduce the risk of year 2000 computer system failures by making their systems what is called year 2000-compliant. Let me begin by summarizing the problem. Since the birth of the computer era, computer systems have typically used two digits to represent the year, such as “97” for 1997, in order to conserve electronic data storage and reduce operating costs. In the two-digit format, however, 2000 is indistinguishable from 1900 because both are represented as “00.” As a result, if not modified, computer systems or applications that use dates or perform date- or time-sensitive calculations may generate incorrect results beyond 1999. In fact, such problems will begin well before January 1, 2000, because they will affect all calculations that project into the next century. Who could be affected? Virtually every citizen. Every government program that provides benefits in any way is subject to these problems, from social security and veterans’ benefits to student loans and subsidized housing. This is not simply a government issue, it is something that will touch us all. As an example of what could go wrong, an individual born in 1935 who expects a certain benefit at age 65 assumes that this will begin in the year 2000. Yet if the system reads 2000 as 1900, that person is negative 35 years old—not even born yet. Correcting the problem, in government as in the private sector, will be labor-intensive and time-consuming—and must be done while systems continue to operate. Many of the federal government’s computer systems were originally designed and developed 20 to 25 years ago, are poorly documented, and use a variety of computer languages—many of which are obsolete. The systems consist of tens or hundreds of computer programs, each with thousands, tens of thousands, or even millions of lines of code, which must be examined for date format problems. In addition, the Page 1 GAO/T-AIMD-97-52 systems have numerous components—hardware, operating systems, communications applications, and database software—that are affected by the date problem. Make no mistake: Every federal agency is at risk of system failures. Modifying systems will be a massive undertaking, and agencies must begin to address this challenge now—if they have not already started. Ironically, perhaps, the enormous challenge involved in achieving year 2000 compliance is not technical; it is, rather, managerial. Whether agencies succeed or fail will be largely influenced by the quality of executive leadership and program management. Executive leadership sets the tone; program management makes change happen. It will be imperative for top agency management—including the agency head and the chief information officer, or CIO—to not only be fully aware of the importance of this undertaking, but to communicate this awareness and urgency to all agency personnel in such a way that everyone understands why year 2000 compliance is so important. An agency’s ability to successfully manage its year 2000 program will also depend on the degree to which the agency has institutionalized key systems development and program management practices, and on its experience in managing large-scale software conversion or systems development efforts. GAO has reported on numerous occasions that agencies need to address and improve their management of information technology. Accordingly, to carry out their year 2000 programs, agencies need to assess their information resources management, or IRM, capabilities and, if necessary, upgrade them. In this process agencies should also consider soliciting assistance from organizations experienced in managing major software conversions. GAO has developed a guide that constitutes a framework that agencies can use to assess their readiness to achieve year 2000 compliance. It provides information on the scope of the challenge and offers a structured, step-by-step approach for reviewing the adequacy of agency planning and management of its year 2000 program. The guide draws heavily on the work of the Best Practices Subcommittee of the Interagency Year 2000 Committee and incorporates guidance and practices identified by leading information technology organizations. Copies of an exposure draft of this guide, released this past Monday, are available at this hearing today.1 1 Year 2000 Computing Crisis: An Assessment Guide [exposure draft] (GAO/AIMD-10.1.14, February 1997). Page 2 GAO/T-AIMD-97-52 The guide is divided into five sections, which correspond with the five phases that we see representing a year 2000 program. Most of the remainder of my statement today will discuss the substance of these five phases: awareness, assessment, renovation, validation, and implementation. Let me first describe each in broad terms. (Attached are illustrations of both the year 2000 program phases, and a timeline showing the important milestones from awareness through implementation.) Phase 1, AWARENESS, encompasses problem definition and executive support and sponsorship; the year 2000 team is assembled and an overall strategy developed. In phase 2, ASSESSMENT, the impact of the century change on the organization is examined, and core business processes are identified. Phase 3 is RENOVATION, in which technical system elements are converted or replaced. In phase 4, VALIDATION, replaced elements are thoroughly tested, as is overall performance. Finally, phase 5 is IMPLEMENTATION: New elements are integrated as part of the system. It must be remembered that management of the overall year 2000 program and its individual projects is ongoing, throughout all phases. The year 2000 program should be planned and managed as a single, large information-systems project. Along with planned monitoring, policies and procedures that must be in place include quality assurance, risk management, scheduling and tracking, and budgeting. At this time I’d like to highlight in more detail the main points in each of the five phases. Awareness is a critical first step. Many people who may have heard Awareness something about a year 2000 computer problem do not yet fully understand what it’s about and why it matters. For agency personnel, this is imperative. This is also the phase in which an organization within the agency is identified to take the lead in correcting the problem. The CIO, in concert with the project teams, must select a workable approach to the problem, examine the existing IRM infrastructure, and obtain needed resources. More specifically, during this phase, agencies should focus their energies on defining the year 2000 problem and its potential impact, assessing the adequacy of program management capabilities, developing a strategy, establishing an executive management council, appointing a program manager, and establishing a program office. Page 3 GAO/T-AIMD-97-52 The main thrust of assessment is separating the mission-critical Assessment systems—which must be converted or replaced—from important ones that should be converted or replaced and marginal ones that may be addressed now or deferred. It is important to remember that the year 2000 problem is primarily a business problem, not just an issue of information technology. This is why it is essential to assess the impact of potential year 2000-induced system failures on core business functions and mission-critical processes. To determine specifically what must be done and when, agencies should inventory their information systems in each business area, assign priority to individual systems, establish project teams for business areas and major systems, and develop a program plan. Agencies should also develop validation strategies and testing plans, identify and acquire tools, and develop contingency plans. Assessments also need to include other systems that affect the business, such as telephone switching systems. This phase deals with making actual changes, whether eliminating, Renovation converting, or replacing hardware and software, and documenting those changes. In all cases, it will be important to consider the complex interdependencies among systems and applications. All changes also need to be consistent agencywide, and information about changes clearly disseminated to users. In addition to the conversion of selected applications and related system components, agencies must address data exchange issues, document code and system changes, and track and measure renovation processes. The validation phase may well take agencies over a year to complete, and Validation consume up to half of the year 2000 program’s budget and resources. This is due to the complex interrelationships among scores of applications, databases, and operating systems. Yet this is precisely why the testing and validation are so essential: It is the only way to ensure that changes expected to work do in fact work. It will be important for agencies to satisfy themselves that their testing procedures are indeed up to this challenge, that their results can be trusted. During this phase, agencies should develop and document test plans and schedules; develop a strategy for managing testing of contractor-converted systems; implement a year 2000 test facility; perform system testing; and Page 4 GAO/T-AIMD-97-52 define, collect, and use test measurements for managing the validation process. Implementing year 2000-compliant systems and their components requires Implementation extensive integration and acceptance testing to ensure that all components perform as needed in an operating environment consisting of diverse types of systems. In addition, since not all system elements will be converted or replaced simultaneously, agencies may for a time operate with a mix of year 2000-compliant and noncompliant systems. To reduce risk as systems are converted or replaced, it may be wise for agencies to operate in a parallel processing mode for a period for selected systems—using the old and new systems side-by-side simultaneously. This redundancy can act as a fail-safe mechanism until it is clear that all changed systems are operating correctly. During this phase, agencies must also define the environment and procedures to be followed during transition to the renovated systems, develop an implementation schedule, resolve interagency and data exchange concerns, address database questions, complete acceptance testing, develop contingency plans, and update or develop disaster recovery plans. In closing, let me reiterate that while the year 2000 problem is serious and could well become a crisis for any organization that fails to take its demands seriously, it is correctable. It will take long, hard effort, but it can—and must—be done. There is much that can be done, and the time is now. This concludes my statement. I’d be pleased to respond to any questions you or other members of the Commission may have at this time. Page 5 GAO/T-AIMD-97-52 Attachment I Year 2000 Program Phases GAO Year 2000 Program Phases Define problem Awareness Ensure executive support Spread word Establish team Assess impact Assessment Identify core business Inventory/prioritize systems Develop contingency plans Program/Project Convert/replace/eliminate Renovation as needed Management Modify interfaces Test/verify changed systems Validation in operational environment Put changed systems Implementation into operation Page 6 GAO/T-AIMD-97-52 Attachment II Year 2000 Milestones GAO Year 2000 Milestones Awareness Assessment Renovation Validation and Implementation J F M A M J J A S O N D J F M A M J J A S O N D J F M A M J J A S O N D J F M A M J J A S O N D 1996 1997 1998 1999 (511420) Page 7 GAO/T-AIMD-97-52 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 6015 Gaithersburg, MD 20884-6015 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (301) 258-4066, or TDD (301) 413-0006. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with "info" in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov PRINTED ON RECYCLED PAPER United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested
Year 2000 Computing Crisis: Risk of Serious Disruption to Essential Government Functions Calls for Agency Action Now
Published by the Government Accountability Office on 1997-02-27.
Below is a raw (and likely hideous) rendition of the original report. (PDF)