oversight

Year 2000 Computing Crisis: The District of Columbia Remains Behind Schedule

Published by the Government Accountability Office on 1999-02-19.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on the District of Columbia,
                          Committee on Government Reform, House of
                          Representatives


For Release on Delivery

Expected at               YEAR 2000 COMPUTING
                          CRISIS
9:30 a.m.

Friday,

February 19, 1999




                          The District of Columbia
                          Remains Behind Schedule
                          Statement of Jack L. Brock, Jr.
                          Director, Governmentwide and Defense Information
                          Systems
                          Accounting and Information Management Division




GAO/T-AIMD-99-84
Mr. Chairman and Members of the Subcommittee:

Thank you for inviting me to participate in today’s hearing on the
challenges facing the District of Columbia in addressing the Year 2000
problem. As you know, the District of Columbia, like many public and
private organizations, is extremely vulnerable to Year 2000 problems due to
its widespread dependence on computer systems to deliver vital public
services and carry out its operations. If these problems are not addressed
in time, the District may be unable to effectively ensure public safety,
collect revenue, educate students, and provide health care services. Today,
I will discuss the District’s progress in fixing its systems and the risks it
now faces.

In October 1998 we testified that the District was seriously behind, but
noted that a number of positive steps were underway to accelerate its
progress on the Year 2000 problem.1 At that time, the District had hired a
new chief technology officer, appointed a full-time Year 2000 program
manager, established a Year 2000 program office, launched an aggressive
strategy to compensate for lost time, assigned more resources, and
contracted with an information technology firm to assist with all phases of
the Year 2000 correction process. Still, we stressed that because the
District was so far behind in addressing the problem, it was at significant
risk that critical processes could fail. Consequently, we recommended that
the District promptly identify its most important operations, determine
which systems supporting these operations could be fixed before the Year
2000 deadline, and ensure that business continuity and contingency plans
were developed for core business operations for which supporting systems
would not be renovated on time. Since we last testified, the District has
started implementing these recommendations and has taken additional
steps to address the Year 2000 problem.

Nevertheless, the District remains far behind, but is not alone in its
predicament. According to a November 1998 National Association of
Counties survey of 500 counties representing 46 states, about two-thirds of
counties had not yet completed the assessment phase of their Year 2000
work and about half did not yet have a countywide plan for addressing Year
2000 conversion issues. States are also experiencing Year 2000 challenges.



1
 Year 2000 Computing Crisis: The District of Columbia Faces Tremendous Challenges in Ensuring Vital
Services Are Not Disrupted (GAO/T-AIMD-99-4, October 2, 1998).




Page 1                                                                        GAO/T-AIMD-99-84
A recent survey of state Year 2000 efforts2 indicates that over 40 percent of
the states are less than halfway through remediating their mission-critical
systems.3

To prepare for this testimony, we conducted a quick overview of the
District’s recent efforts to address risks associated with the Year 2000 date
change and compared these efforts to criteria detailed in our Year 2000
Assessment Guide,4 Business Continuity and Contingency Planning Guide,5
and Testing Guide.6 We reviewed a number of key project documents
including the District’s Enterprise Project Plan, Contingency Planning
Workbook (that describes the District’s approach to contingency planning),
and Test Strategy. We interviewed District officials responsible for
overseeing the Year 2000 effort, including the Year 2000 Program Manager,
the Year 2000 Contingency Planning Manager, the Director for Systems
Audits in the Office of the Inspector General, and the Year 2000 contractor’s
Program Executive and Contingency Planning Manager. Finally, we
reviewed information collected by the National Association of State
Information Resource Executives and a study of county government Year
2000 preparedness conducted by the National Association of Counties. We
performed our work in Washington, D.C., between February 2 and
February 17, 1999, in accordance with generally accepted government
auditing standards.




2
  Individual states submit periodic Year 2000 progress updates to the National Association of State
Information Resource Executives. For the January 15th report, the states submitted their data between
December 7, 1998, and January 14, 1999.

3Four   states did not respond to this question.

4
  Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14). Published as an exposure
draft in February 1997 and finalized in September 1997, the guide was issued to help federal agencies
prepare for the Year 2000 conversion.

5Year 2000 Computing Crisis: Business Continuity and Contingency Planning (GAO/AIMD-10.1.19).
Published as an exposure draft in March 1998 and issued in August 1998, this guide provides a
conceptual framework for helping organizations to manage the risk of potential Year 2000-induced
disruptions to their operations. It discusses the scope and challenge and offers a structured approach
for reviewing the adequacy of agency Year 2000 business continuity and contingency planning efforts.

6
  Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21). Published as an exposure draft in
June 1998 and issued in November 1998, this guide addresses the need to plan and conduct Year 2000
tests in a structured and disciplined fashion. The guide describes a step-by-step framework for
managing, and a checklist for assessing, all Year 2000 testing activities including those activities
associated with computer systems or system components (such as embedded processors) that are
vendor supported.




Page 2                                                                           GAO/T-AIMD-99-84
District of Columbia     Since our initial assessment, the District Year 2000 Program Office has
                         established an orderly process for addressing the Year 2000 problem and
Efforts to Address the   has been working hard to develop an understanding of its core business
Year 2000 Problem        processes and supporting information systems. For example, the District
                         has:

                         • identified 18 agencies that are critical to providing vital services to the
                           city;
                         • identified and prioritized 75 core business processes and over 200
                           mission-critical systems that support these processes;
                         • developed a detailed project plan for remediating, testing, and
                           implementing its mission-critical systems;
                         • prepared and tested a contingency planning methodology and has begun
                           to apply the methodology in developing business continuity and
                           contingency plans for core business processes;
                         • developed a system testing strategy;
                         • strengthened its Year 2000 organization by hiring additional staff; and
                         • developed crisis management procedures to be used in the event that a
                           Year 2000 failure is imminent or occurs.

                         The Year 2000 Program Manager holds weekly meetings to review
                         deviations from schedule baselines and monitor the overall program status.
                         Additionally, the Program Office recently began preparing Year 2000 report
                         cards for all systems included in the District’s Year 2000 effort. These
                         report cards, which are provided to each agency, summarize the progress
                         being made on each system.



The District Is Still    The District’s recent actions reflect a commitment to protect its key
                         business processes from Year 2000 failure. However, its schedule for
Behind Schedule          fulfilling this commitment is highly compressed and moves through four
                         phases of the Year 2000 process in less than 1 year--assessment by the end
                         of February, renovation and contingency planning by the end of September,
                         and system validation by the end of October. Currently, the District
                         remains over 1 year behind our recommended schedule and is just now
                         transitioning from the assessment to the renovation phase of the Year 2000
                         conversion model. By contrast, our Assessment Guide recommends that
                         renovation should have been completed by the end of August 1998 to allow
                         ample time for validation and implementation and that organizations
                         should now be well along in their contingency planning efforts--testing and
                         implementing business continuity and contingency plans for their core



                         Page 3                                                       GAO/T-AIMD-99-84
                         business processes and mission-critical systems.7 As illustrated in the
                         following figure, organizations should also now be well into validating and
                         implementing their renovated systems.


                         Figure 1: The District’s Reported Year 2000 Status Compared to Our Recommended
                         Year 2000 Schedule



                                               w here the                                   w here the
                                               D is t r i c t i s                           D is t r i c t
                                                                                            should be


                                                         assessm ent                         v a lid a t i o n & im p l e m e n t a t i o n
                                   awareness                               renovation




                                      1996                          1997                1998                            1999



                         According to the District’s Year 2000 Program Manager, at this time, the
                         District has only renovated about 5 percent of its mission-critical systems,
                         with less than 1 percent of its mission-critical systems completing
                         validation. Further, only one of the District’s over 200 mission-critical
                         systems, which is responsible for paying District employees and
                         pensioners, has been through the entire conversion process and is now
                         implemented. Only six business continuity plans—such as the plan for
                         documenting the manual registering of students for the University of the
                         District of Columbia’s student enrollment process—have been finalized.



The District of          It will be difficult for the District to adequately compensate for its late start
                         in initiating effective action on the Year 2000 challenge. As a result, it faces
Columbia Faces a Risk    a significant risk that vital services will be disrupted--and tremendously
That Critical Services   important tasks lie ahead. For example, according to the District’s project
                         plan, testing for a majority of its mission-critical systems will peak over the
Will Be Disrupted        next few months and finish in October. Experience shows that Year 2000
                         testing--the linchpin for providing reasonable assurance that systems
                         process dates correctly—is the most time-consuming and difficult phase of


                         7
                           Although the District has finished assessing its mission-critical systems, it does not expect to finish
                         assessing non-IT assets until the end of February 1999. According to the District’s Year 2000 Program
                         Manager, about 36 percent of the District’s non-IT assets have been assessed.




                         Page 4                                                                                     GAO/T-AIMD-99-84
                          nearly all Year 2000 projects. Similarly, development and testing of the
                          District’s contingency plans, which are intended to reduce the risk and
                          potential impact of Year 2000-induced information system failures on its
                          core business processes, are likewise scheduled for completion in the fall.
                          Given the District’s compressed Year 2000 schedule--which allows no
                          margin for error--and to have a reasonable chance of avoiding serious
                          disruption to public services, it must be well prepared for likely project
                          delays and/or failures of mission-critical systems.



The District Must Take    The District’s schedule for Year 2000 compliance offers little opportunity
                          for further compression, no margin for error, and little room for corrective
Steps to Mitigate Risks   action if test results show continued problems with mission-critical
                          systems.

                          • First, to partially compensate, we recommend that the District place
                            increased emphasis on (1) completing business continuity and
                            contingency plans as early as possible to allow time for testing and
                            funding and (2) ensuring that contingency plans and priorities are
                            updated to reflect information that becomes available as the Year 2000
                            project progresses, including new risk assessments based on the
                            successes and failures encountered in the validation phase of the
                            project.
                          • Second, efforts to address the Year 2000 problem must have continued
                            top-level attention, commitment, and input from key stakeholders
                            (including the Mayor, department and agency heads, and the Control
                            Board8) who “own” the Year 2000 process. These stakeholders must
                            • participate in making critical decisions throughout the remainder of
                               the project,
                            • continue to provide resources and support for the program, and
                            • take action necessary to eliminate obstacles that could reduce the
                               Year 2000 Program Office’s chances of successfully executing its
                               project plan.




                          8
                            The District of Columbia Financial Responsibility and Management Assistance Authority, also known
                          as the District of Columbia Control Board, was established in April 1995 by Public Law 104-8. The
                          Board’s responsibilities include improving the District’s financial planning, budgeting, and revenue
                          forecasting as well as ensuring the most efficient and effective delivery of city services. The Board is
                          also responsible for conducting investigations to determine the fiscal status and operational efficiency
                          of the District government.




             Leter        Page 5                                                                             GAO/T-AIMD-99-84
                   Mr. Chairman, this concludes my statement. I will be happy to answer any
                   questions you or Members of the Subcommittee may have.




(511142)   Leter   Page 6                                                   GAO/T-AIMD-99-84
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Correction Requested