United States General Accounting Office GAO Testimony Before the Subcommittee on the District of Columbia, Committee on Government Reform, House of Representatives For Release on Delivery Expected at YEAR 2000 COMPUTING CRISIS 9:30 a.m. Friday, February 19, 1999 The District of Columbia Remains Behind Schedule Statement of Jack L. Brock, Jr. Director, Governmentwide and Defense Information Systems Accounting and Information Management Division GAO/T-AIMD-99-84 Mr. Chairman and Members of the Subcommittee: Thank you for inviting me to participate in today’s hearing on the challenges facing the District of Columbia in addressing the Year 2000 problem. As you know, the District of Columbia, like many public and private organizations, is extremely vulnerable to Year 2000 problems due to its widespread dependence on computer systems to deliver vital public services and carry out its operations. If these problems are not addressed in time, the District may be unable to effectively ensure public safety, collect revenue, educate students, and provide health care services. Today, I will discuss the District’s progress in fixing its systems and the risks it now faces. In October 1998 we testified that the District was seriously behind, but noted that a number of positive steps were underway to accelerate its progress on the Year 2000 problem.1 At that time, the District had hired a new chief technology officer, appointed a full-time Year 2000 program manager, established a Year 2000 program office, launched an aggressive strategy to compensate for lost time, assigned more resources, and contracted with an information technology firm to assist with all phases of the Year 2000 correction process. Still, we stressed that because the District was so far behind in addressing the problem, it was at significant risk that critical processes could fail. Consequently, we recommended that the District promptly identify its most important operations, determine which systems supporting these operations could be fixed before the Year 2000 deadline, and ensure that business continuity and contingency plans were developed for core business operations for which supporting systems would not be renovated on time. Since we last testified, the District has started implementing these recommendations and has taken additional steps to address the Year 2000 problem. Nevertheless, the District remains far behind, but is not alone in its predicament. According to a November 1998 National Association of Counties survey of 500 counties representing 46 states, about two-thirds of counties had not yet completed the assessment phase of their Year 2000 work and about half did not yet have a countywide plan for addressing Year 2000 conversion issues. States are also experiencing Year 2000 challenges. 1 Year 2000 Computing Crisis: The District of Columbia Faces Tremendous Challenges in Ensuring Vital Services Are Not Disrupted (GAO/T-AIMD-99-4, October 2, 1998). Page 1 GAO/T-AIMD-99-84 A recent survey of state Year 2000 efforts2 indicates that over 40 percent of the states are less than halfway through remediating their mission-critical systems.3 To prepare for this testimony, we conducted a quick overview of the District’s recent efforts to address risks associated with the Year 2000 date change and compared these efforts to criteria detailed in our Year 2000 Assessment Guide,4 Business Continuity and Contingency Planning Guide,5 and Testing Guide.6 We reviewed a number of key project documents including the District’s Enterprise Project Plan, Contingency Planning Workbook (that describes the District’s approach to contingency planning), and Test Strategy. We interviewed District officials responsible for overseeing the Year 2000 effort, including the Year 2000 Program Manager, the Year 2000 Contingency Planning Manager, the Director for Systems Audits in the Office of the Inspector General, and the Year 2000 contractor’s Program Executive and Contingency Planning Manager. Finally, we reviewed information collected by the National Association of State Information Resource Executives and a study of county government Year 2000 preparedness conducted by the National Association of Counties. We performed our work in Washington, D.C., between February 2 and February 17, 1999, in accordance with generally accepted government auditing standards. 2 Individual states submit periodic Year 2000 progress updates to the National Association of State Information Resource Executives. For the January 15th report, the states submitted their data between December 7, 1998, and January 14, 1999. 3Four states did not respond to this question. 4 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14). Published as an exposure draft in February 1997 and finalized in September 1997, the guide was issued to help federal agencies prepare for the Year 2000 conversion. 5Year 2000 Computing Crisis: Business Continuity and Contingency Planning (GAO/AIMD-10.1.19). Published as an exposure draft in March 1998 and issued in August 1998, this guide provides a conceptual framework for helping organizations to manage the risk of potential Year 2000-induced disruptions to their operations. It discusses the scope and challenge and offers a structured approach for reviewing the adequacy of agency Year 2000 business continuity and contingency planning efforts. 6 Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21). Published as an exposure draft in June 1998 and issued in November 1998, this guide addresses the need to plan and conduct Year 2000 tests in a structured and disciplined fashion. The guide describes a step-by-step framework for managing, and a checklist for assessing, all Year 2000 testing activities including those activities associated with computer systems or system components (such as embedded processors) that are vendor supported. Page 2 GAO/T-AIMD-99-84 District of Columbia Since our initial assessment, the District Year 2000 Program Office has established an orderly process for addressing the Year 2000 problem and Efforts to Address the has been working hard to develop an understanding of its core business Year 2000 Problem processes and supporting information systems. For example, the District has: • identified 18 agencies that are critical to providing vital services to the city; • identified and prioritized 75 core business processes and over 200 mission-critical systems that support these processes; • developed a detailed project plan for remediating, testing, and implementing its mission-critical systems; • prepared and tested a contingency planning methodology and has begun to apply the methodology in developing business continuity and contingency plans for core business processes; • developed a system testing strategy; • strengthened its Year 2000 organization by hiring additional staff; and • developed crisis management procedures to be used in the event that a Year 2000 failure is imminent or occurs. The Year 2000 Program Manager holds weekly meetings to review deviations from schedule baselines and monitor the overall program status. Additionally, the Program Office recently began preparing Year 2000 report cards for all systems included in the District’s Year 2000 effort. These report cards, which are provided to each agency, summarize the progress being made on each system. The District Is Still The District’s recent actions reflect a commitment to protect its key business processes from Year 2000 failure. However, its schedule for Behind Schedule fulfilling this commitment is highly compressed and moves through four phases of the Year 2000 process in less than 1 year--assessment by the end of February, renovation and contingency planning by the end of September, and system validation by the end of October. Currently, the District remains over 1 year behind our recommended schedule and is just now transitioning from the assessment to the renovation phase of the Year 2000 conversion model. By contrast, our Assessment Guide recommends that renovation should have been completed by the end of August 1998 to allow ample time for validation and implementation and that organizations should now be well along in their contingency planning efforts--testing and implementing business continuity and contingency plans for their core Page 3 GAO/T-AIMD-99-84 business processes and mission-critical systems.7 As illustrated in the following figure, organizations should also now be well into validating and implementing their renovated systems. Figure 1: The District’s Reported Year 2000 Status Compared to Our Recommended Year 2000 Schedule w here the w here the D is t r i c t i s D is t r i c t should be assessm ent v a lid a t i o n & im p l e m e n t a t i o n awareness renovation 1996 1997 1998 1999 According to the District’s Year 2000 Program Manager, at this time, the District has only renovated about 5 percent of its mission-critical systems, with less than 1 percent of its mission-critical systems completing validation. Further, only one of the District’s over 200 mission-critical systems, which is responsible for paying District employees and pensioners, has been through the entire conversion process and is now implemented. Only six business continuity plans—such as the plan for documenting the manual registering of students for the University of the District of Columbia’s student enrollment process—have been finalized. The District of It will be difficult for the District to adequately compensate for its late start in initiating effective action on the Year 2000 challenge. As a result, it faces Columbia Faces a Risk a significant risk that vital services will be disrupted--and tremendously That Critical Services important tasks lie ahead. For example, according to the District’s project plan, testing for a majority of its mission-critical systems will peak over the Will Be Disrupted next few months and finish in October. Experience shows that Year 2000 testing--the linchpin for providing reasonable assurance that systems process dates correctly—is the most time-consuming and difficult phase of 7 Although the District has finished assessing its mission-critical systems, it does not expect to finish assessing non-IT assets until the end of February 1999. According to the District’s Year 2000 Program Manager, about 36 percent of the District’s non-IT assets have been assessed. Page 4 GAO/T-AIMD-99-84 nearly all Year 2000 projects. Similarly, development and testing of the District’s contingency plans, which are intended to reduce the risk and potential impact of Year 2000-induced information system failures on its core business processes, are likewise scheduled for completion in the fall. Given the District’s compressed Year 2000 schedule--which allows no margin for error--and to have a reasonable chance of avoiding serious disruption to public services, it must be well prepared for likely project delays and/or failures of mission-critical systems. The District Must Take The District’s schedule for Year 2000 compliance offers little opportunity for further compression, no margin for error, and little room for corrective Steps to Mitigate Risks action if test results show continued problems with mission-critical systems. • First, to partially compensate, we recommend that the District place increased emphasis on (1) completing business continuity and contingency plans as early as possible to allow time for testing and funding and (2) ensuring that contingency plans and priorities are updated to reflect information that becomes available as the Year 2000 project progresses, including new risk assessments based on the successes and failures encountered in the validation phase of the project. • Second, efforts to address the Year 2000 problem must have continued top-level attention, commitment, and input from key stakeholders (including the Mayor, department and agency heads, and the Control Board8) who “own” the Year 2000 process. These stakeholders must • participate in making critical decisions throughout the remainder of the project, • continue to provide resources and support for the program, and • take action necessary to eliminate obstacles that could reduce the Year 2000 Program Office’s chances of successfully executing its project plan. 8 The District of Columbia Financial Responsibility and Management Assistance Authority, also known as the District of Columbia Control Board, was established in April 1995 by Public Law 104-8. The Board’s responsibilities include improving the District’s financial planning, budgeting, and revenue forecasting as well as ensuring the most efficient and effective delivery of city services. The Board is also responsible for conducting investigations to determine the fiscal status and operational efficiency of the District government. Leter Page 5 GAO/T-AIMD-99-84 Mr. Chairman, this concludes my statement. I will be happy to answer any questions you or Members of the Subcommittee may have. (511142) Leter Page 6 GAO/T-AIMD-99-84 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary, VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GI00 Official Business Penalty for Private Use $300 Address Correction Requested
Year 2000 Computing Crisis: The District of Columbia Remains Behind Schedule
Published by the Government Accountability Office on 1999-02-19.
Below is a raw (and likely hideous) rendition of the original report. (PDF)