oversight

Year 2000 Computing Crisis: Risk of Serious Disruption to Essential Government Functions Calls for Agency Action Now

Published by the Government Accountability Office on 1997-02-27.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the National Commission on Restructuring the
                          Internal Revenue Service




For Release on Delivery
Expected at
9 a.m.
                          YEAR 2000 COMPUTING
Thursday,
February 27, 1997         CRISIS

                          Risk of Serious Disruption to
                          Essential Government
                          Functions Calls for Agency
                          Action Now
                          Statement of Joel C. Willemssen
                          Director, Information Resources Management
                          Accounting and Information Management Division




GAO/T-AIMD-97-52
Members of the Commission:

As you know, the upcoming change of century poses serious risks to
virtually all functions—public and private—that rely on computer systems.
This year 2000 computing problem has received a great deal of attention,
and deservedly so. The area has recently been added to our list of high-risk
issues because of its potential for widespread adverse impact on
government operations. As in the private sector, there is much that needs
to be done if the federal government is to avoid the disruption of
important services on which millions of Americans depend—and,
fortunately, much that can be done. I am pleased to share with you today
information gathered from numerous sources about the steps agencies can
take to reduce the risk of year 2000 computer system failures by making
their systems what is called year 2000-compliant.

Let me begin by summarizing the problem. Since the birth of the computer
era, computer systems have typically used two digits to represent the year,
such as “97” for 1997, in order to conserve electronic data storage and
reduce operating costs. In the two-digit format, however, 2000 is
indistinguishable from 1900 because both are represented as “00.” As a
result, if not modified, computer systems or applications that use dates or
perform date- or time-sensitive calculations may generate incorrect results
beyond 1999. In fact, such problems will begin well before January 1, 2000,
because they will affect all calculations that project into the next century.

Who could be affected? Virtually every citizen. Every government program
that provides benefits in any way is subject to these problems, from social
security and veterans’ benefits to student loans and subsidized housing.
This is not simply a government issue, it is something that will touch us all.
As an example of what could go wrong, an individual born in 1935 who
expects a certain benefit at age 65 assumes that this will begin in the year
2000. Yet if the system reads 2000 as 1900, that person is negative 35 years
old—not even born yet.

Correcting the problem, in government as in the private sector, will be
labor-intensive and time-consuming—and must be done while systems
continue to operate. Many of the federal government’s computer systems
were originally designed and developed 20 to 25 years ago, are poorly
documented, and use a variety of computer languages—many of which are
obsolete. The systems consist of tens or hundreds of computer programs,
each with thousands, tens of thousands, or even millions of lines of code,
which must be examined for date format problems. In addition, the



Page 1                                                       GAO/T-AIMD-97-52
systems have numerous components—hardware, operating systems,
communications applications, and database software—that are affected by
the date problem.

Make no mistake: Every federal agency is at risk of system failures.
Modifying systems will be a massive undertaking, and agencies must begin
to address this challenge now—if they have not already started.

Ironically, perhaps, the enormous challenge involved in achieving year
2000 compliance is not technical; it is, rather, managerial. Whether
agencies succeed or fail will be largely influenced by the quality of
executive leadership and program management. Executive leadership sets
the tone; program management makes change happen. It will be
imperative for top agency management—including the agency head and
the chief information officer, or CIO—to not only be fully aware of the
importance of this undertaking, but to communicate this awareness and
urgency to all agency personnel in such a way that everyone understands
why year 2000 compliance is so important.

An agency’s ability to successfully manage its year 2000 program will also
depend on the degree to which the agency has institutionalized key
systems development and program management practices, and on its
experience in managing large-scale software conversion or systems
development efforts. GAO has reported on numerous occasions that
agencies need to address and improve their management of information
technology. Accordingly, to carry out their year 2000 programs, agencies
need to assess their information resources management, or IRM,
capabilities and, if necessary, upgrade them. In this process agencies
should also consider soliciting assistance from organizations experienced
in managing major software conversions.

GAO has developed a guide that constitutes a framework that agencies can
use to assess their readiness to achieve year 2000 compliance. It provides
information on the scope of the challenge and offers a structured,
step-by-step approach for reviewing the adequacy of agency planning and
management of its year 2000 program. The guide draws heavily on the
work of the Best Practices Subcommittee of the Interagency Year 2000
Committee and incorporates guidance and practices identified by leading
information technology organizations. Copies of an exposure draft of this
guide, released this past Monday, are available at this hearing today.1

1
 Year 2000 Computing Crisis: An Assessment Guide [exposure draft] (GAO/AIMD-10.1.14,
February 1997).



Page 2                                                                      GAO/T-AIMD-97-52
            The guide is divided into five sections, which correspond with the five
            phases that we see representing a year 2000 program. Most of the
            remainder of my statement today will discuss the substance of these five
            phases: awareness, assessment, renovation, validation, and
            implementation. Let me first describe each in broad terms. (Attached are
            illustrations of both the year 2000 program phases, and a timeline showing
            the important milestones from awareness through implementation.)

            Phase 1, AWARENESS, encompasses problem definition and executive
            support and sponsorship; the year 2000 team is assembled and an overall
            strategy developed. In phase 2, ASSESSMENT, the impact of the century
            change on the organization is examined, and core business processes are
            identified. Phase 3 is RENOVATION, in which technical system elements
            are converted or replaced. In phase 4, VALIDATION, replaced elements
            are thoroughly tested, as is overall performance. Finally, phase 5 is
            IMPLEMENTATION: New elements are integrated as part of the system.

            It must be remembered that management of the overall year 2000 program
            and its individual projects is ongoing, throughout all phases. The year 2000
            program should be planned and managed as a single, large
            information-systems project. Along with planned monitoring, policies and
            procedures that must be in place include quality assurance, risk
            management, scheduling and tracking, and budgeting.

            At this time I’d like to highlight in more detail the main points in each of
            the five phases.


            Awareness is a critical first step. Many people who may have heard
Awareness   something about a year 2000 computer problem do not yet fully
            understand what it’s about and why it matters. For agency personnel, this
            is imperative. This is also the phase in which an organization within the
            agency is identified to take the lead in correcting the problem. The CIO, in
            concert with the project teams, must select a workable approach to the
            problem, examine the existing IRM infrastructure, and obtain needed
            resources.

            More specifically, during this phase, agencies should focus their energies
            on defining the year 2000 problem and its potential impact, assessing the
            adequacy of program management capabilities, developing a strategy,
            establishing an executive management council, appointing a program
            manager, and establishing a program office.



            Page 3                                                        GAO/T-AIMD-97-52
             The main thrust of assessment is separating the mission-critical
Assessment   systems—which must be converted or replaced—from important ones that
             should be converted or replaced and marginal ones that may be addressed
             now or deferred. It is important to remember that the year 2000 problem is
             primarily a business problem, not just an issue of information technology.
             This is why it is essential to assess the impact of potential year
             2000-induced system failures on core business functions and
             mission-critical processes.

             To determine specifically what must be done and when, agencies should
             inventory their information systems in each business area, assign priority
             to individual systems, establish project teams for business areas and major
             systems, and develop a program plan. Agencies should also develop
             validation strategies and testing plans, identify and acquire tools, and
             develop contingency plans. Assessments also need to include other
             systems that affect the business, such as telephone switching systems.


             This phase deals with making actual changes, whether eliminating,
Renovation   converting, or replacing hardware and software, and documenting those
             changes. In all cases, it will be important to consider the complex
             interdependencies among systems and applications. All changes also need
             to be consistent agencywide, and information about changes clearly
             disseminated to users.

             In addition to the conversion of selected applications and related system
             components, agencies must address data exchange issues, document code
             and system changes, and track and measure renovation processes.


             The validation phase may well take agencies over a year to complete, and
Validation   consume up to half of the year 2000 program’s budget and resources. This
             is due to the complex interrelationships among scores of applications,
             databases, and operating systems. Yet this is precisely why the testing and
             validation are so essential: It is the only way to ensure that changes
             expected to work do in fact work. It will be important for agencies to
             satisfy themselves that their testing procedures are indeed up to this
             challenge, that their results can be trusted.

             During this phase, agencies should develop and document test plans and
             schedules; develop a strategy for managing testing of contractor-converted
             systems; implement a year 2000 test facility; perform system testing; and



             Page 4                                                      GAO/T-AIMD-97-52
                 define, collect, and use test measurements for managing the validation
                 process.


                 Implementing year 2000-compliant systems and their components requires
Implementation   extensive integration and acceptance testing to ensure that all components
                 perform as needed in an operating environment consisting of diverse types
                 of systems. In addition, since not all system elements will be converted or
                 replaced simultaneously, agencies may for a time operate with a mix of
                 year 2000-compliant and noncompliant systems. To reduce risk as systems
                 are converted or replaced, it may be wise for agencies to operate in a
                 parallel processing mode for a period for selected systems—using the old
                 and new systems side-by-side simultaneously. This redundancy can act as
                 a fail-safe mechanism until it is clear that all changed systems are
                 operating correctly.

                 During this phase, agencies must also define the environment and
                 procedures to be followed during transition to the renovated systems,
                 develop an implementation schedule, resolve interagency and data
                 exchange concerns, address database questions, complete acceptance
                 testing, develop contingency plans, and update or develop disaster
                 recovery plans.

                 In closing, let me reiterate that while the year 2000 problem is serious and
                 could well become a crisis for any organization that fails to take its
                 demands seriously, it is correctable. It will take long, hard effort, but it
                 can—and must—be done. There is much that can be done, and the time is
                 now.


                 This concludes my statement. I’d be pleased to respond to any questions
                 you or other members of the Commission may have at this time.




                 Page 5                                                       GAO/T-AIMD-97-52
Attachment I

Year 2000 Program Phases



        GAO Year 2000 Program Phases



                                                           Define problem
                                           Awareness       Ensure executive support
                                                           Spread word
                                                           Establish team

                                                           Assess impact
                                           Assessment      Identify core business
                                                           Inventory/prioritize systems
                                                           Develop contingency plans


               Program/Project                             Convert/replace/eliminate
                                           Renovation      as needed
                Management
                                                           Modify interfaces



                                                           Test/verify changed systems
                                            Validation     in operational environment




                                                           Put changed systems
                                          Implementation   into operation




                                 Page 6                                                   GAO/T-AIMD-97-52
Attachment II

Year 2000 Milestones



           GAO Year 2000 Milestones




                   Awareness



                                                   Assessment



                                                                                                       Renovation


                                                                                                                                                            Validation and
                                                                                                                                                           Implementation

           J   F   M   A   M   J   J   A   S   O   N   D   J   F   M   A   M   J   J   A   S   O   N   D   J   F   M   A   M   J   J   A   S   O   N   D   J   F   M   A   M   J   J   A   S   O   N   D




                           1996                                             1997                                           1998                                            1999




(511420)                                                                   Page 7                                                                                                                          GAO/T-AIMD-97-52
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 6015
Gaithersburg, MD 20884-6015

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (301) 258-4066, or TDD (301) 413-0006.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested