Year 2000 Computing Challenge: OPM Has Made Progress on Business
Continuity Planning (Letter Report, 05/24/99, GAO/GGD-99-66).

Pursuant to a congressional request, GAO reviewed the Office of
Personnel Management's (OPM) year 2000 business continuity and
contingency planning activities, focusing on OPM's efforts to: (1)
develop an overall planning strategy for ensuring the continuity of
agency operations; (2) assess the risk and impact of system failures on
the agency's core business processes; (3) prepare contingency plans that
include procedures and timetables for continuing agency operations in
the event that critical systems fail; and (4) test the contingency plans
to determine their effectiveness.

GAO noted that: (1) OPM has made progress in its business continuity
planning efforts in preparation for the year 2000 computing problem; (2)
using GAO's guidance on year 2000 business continuity planning for
federal agencies, OPM developed a strong planning strategy for ensuring
the continuity of critical agency operations in the event of year
2000-induced system failures; (3) to develop its planning strategy, OPM
created a project structure involving representatives from the agency's
major business units; (4) through the coordination of this project work
group, OPM developed a master schedule and milestones for continuity
planning activities, identified business processes that are critical to
agency operations, established key reporting requirements, and obtained
the concerted support and involvement of the agency's senior management;
(5) GAO's review raised concerns, however, about OPM's implementation of
the business continuity planning strategy; (6) GAO identified these
concerns after reviewing key planning documents that OPM had developed
according to critical milestones established by the agency in its year
2000 business continuity planning process; (7) specifically, GAO's
concerns involved the approach that OPM used for: (a) assessing the risk
and impact of system failures on the agency's core business processes;
(b) preparing contingency plans to be used in the event of critical
system failures; and (c) developing plans to test the contingency plans
to determine whether they would be effective if implemented; (8) when
OPM presented GAO with its written comments on a draft of this report,
it provided GAO with supplemental documentation that demonstrated that
the agency had taken additional actions to address GAO's concerns; (9)
by taking these additional actions, OPM has improved the implementation
of its business continuity planning strategy and increased the
likelihood that critical agency functions can be carried out even if
year 2000-induced failures occur in key computer systems; and (10) thus,
GAO is not making recommendations to address the concerns originally
observed.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  GGD-99-66
     TITLE:  Year 2000 Computing Challenge: OPM Has Made Progress on
	     Business Continuity Planning
      DATE:  05/24/99
   SUBJECT:  Strategic information systems planning
	     Y2K
	     Systems conversions
	     Computer software verification and validation
	     Data integrity
	     Computer software
	     Information resources management
	     Computer security
IDENTIFIER:  Y2K
	     OPM Year 2000 Program

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  This text was extracted from a PDF file.        **
** Delineations within the text indicating chapter titles,      **
** headings, and bullets have not been preserved, and in some   **
** cases heading text has been incorrectly merged into          **
** body text in the adjacent column.  Graphic images have       **
** not been reproduced, but figure captions are included.       **
** Tables are included, but column deliniations have not been   **
** preserved.                                                   **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************
YEAR 2000 COMPUTING CHALLENGE: OPM Has Made Progress on Business
Continuity Planning (GAO/GGD-99-66) YEAR 2000 COMPUTING CHALLENGE

OPM Has Made Progress on Business Continuity Planning

United States General Accounting Office

GAO Report to the Chairman, Subcommittee on the Civil Service,
Committee on

Government Reform, House of Representatives

May 1999 

GAO/GGD-99-66

May 1999   GAO/GGD-99-66

United States General Accounting Office Washington, D. C. 20548

General Government Division

B-281298

Page 1 GAO/GGD-99-66 Business Continuity Planning

GAO May 24, 1999 The Honorable Joe Scarborough Chairman,
Subcommittee on the Civil Service Committee on Government Reform
House of Representatives

Dear Mr. Chairman: The Office of Personnel Management (OPM), like
other federal agencies, has been working to safeguard its critical
computer systems against failures caused by what is known as the
Year 2000 computing problem. Computer systems could malfunction or
generate incorrect results after December 31, 1999, given that in
many systems developed over the past several decades, the year
2000 is indistinguishable from the year 1900 because both are
represented as 00. OPM's preparation for the Year 2000 problem is
vital to ensuring the continuation of its important agency
functions, such as processing annuity payments to federal retirees
and their survivors. Given the potential for serious
governmentwide disruption to critical functions and services, we
have designated the Year 2000 computing problem as a high- risk
area in the federal government. 1

In addition to preparing critical computer systems for the year
2000, federal agencies need to develop plans to ensure the
continuity of their operations should systems fail to operate as
intended. Agencies must also prepare for possible disruptions to
critical infrastructure services like power, water, and
telecommunications. Given our concerns about the readiness of
federal agencies to prepare for possible disruptions to critical
operations, we initiated a review of OPM's business continuity and
contingency planning efforts for managing and mitigating the risks
of Year 2000- related business failures. Because of your interest
in this issue, you asked that we address this report to you.

In reviewing OPM's Year 2000 business continuity and contingency
planning activities, our objectives were to evaluate OPM's efforts
to (1) develop an overall planning strategy for ensuring the
continuity of agency operations, (2) assess the risk and impact of
system failures on the agency's core business processes, (3)
prepare contingency plans that include procedures and timetables
for continuing agency operations in the event that critical
systems fail, and (4) test the contingency plans to

1 High- Risk Series: Information Management and Technology
(GAO/HR-97-9, Feb. 1997); and High- Risk Series: An Update
(GAO/HR-99-1, Jan. 1999).

B-281298 Page 2 GAO/GGD-99-66 Business Continuity Planning

determine their effectiveness. Guidance on these four steps is
detailed in our Year 2000 business continuity planning guide, 2
which presents a structured approach to aid federal agencies in
managing and mitigating risks associated with the century date
change. This structured approach helps to ensure that agencies
have, at a minimum, addressed the important components of a well-
developed business continuity plan for the Year 2000 problem.

OPM has made progress in its business continuity planning efforts
in preparation for the Year 2000 computing problem. Using our
guidance on Year 2000 business continuity planning for federal
agencies, OPM developed a strong planning strategy for ensuring
the continuity of critical agency operations in the event of Year
2000- induced system failures. To develop its planning strategy,
OPM created a project structure involving representatives from the
agency's major business units. Through the coordination of this
project work group, OPM developed a master schedule and milestones
for continuity planning activities, identified business processes
that are critical to agency operations, established key reporting
requirements, and obtained the concerted support and involvement
of the agency's senior management.

Our review raised concerns, however, about OPM's implementation of
its business continuity planning strategy. We identified these
concerns after reviewing key planning documents that OPM had
developed according to critical milestones established by the
agency in its Year 2000 business continuity planning process.
Specifically, our concerns involved the approach that OPM used for
(1) assessing the risk and impact of system failures on the
agency's core business processes, (2) preparing contingency plans
to be used in the event of critical system failures, and (3)
developing plans to test the contingency plans to determine
whether they would be effective if implemented.

When OPM presented us with its written comments on a draft of this
report, it provided us with supplemental documentation that
demonstrated that the agency had taken additional actions to
address our concerns. By taking these additional actions, OPM has
improved the implementation of its business continuity planning
strategy and increased the likelihood that critical agency
functions can be carried out even if Year 2000- induced failures
occur in key computer systems. Thus, we are not making
recommendations to address the concerns we originally observed.

2 Year 2000 Computing Crisis: Business Continuity and Contingency
Planning (GAO/ AIMD- 10. 1. 19, issued as an exposure draft in
Mar. 1998 and in final form in Aug. 1998). Results in Brief

B-281298 Page 3 GAO/GGD-99-66 Business Continuity Planning

For the past several decades, automated information systems have
typically used two digits to represent the year, such as 98 for
1998, in order to conserve electronic data storage space and
reduce operating costs. In this format, however, the year 2000 is
indistinguishable from the year 1900 because both are represented
as 00. As a result, if not modified, computer systems or
applications that use dates or perform date- sensitive
calculations could malfunction or generate incorrect results when
working with years after 1999. To mitigate this risk,
organizations public and private must repair or replace their
mission- critical systems, test the systems for Year 2000
compliance, and develop plans to ensure continued operations in
the event of Year 2000- induced system failures.

To assist agencies in addressing the Year 2000 computing problem,
we prepared guidance that presents structured approaches for
assessing an agency's Year 2000 conversion effort, 3 testing
systems and system components for Year 2000 compliance, 4 and
developing business continuity and contingency plans. 5 Our guide
on business continuity and contingency planning, which the Office
of Management and Budget (OMB) has adopted as a standard for
federal agencies, describes four phases of implementation, each
representing a major Year 2000 business continuity planning
activity. These four phases are described in the following
paragraphs.

Initiation: This critical first step involves establishing an
overall strategy for ensuring the continuity of agency operations
in the event of Year 2000- induced system failures. The agency
convenes a planning team of agency officials to work with the
agency's Year 2000 program management in developing a master
schedule and milestones, documenting the agency's core business
processes, establishing key reporting requirements, and obtaining
executive- level support for the planning effort.

Business impact analysis: In this phase, the agency assesses the
risk and impact of systems failures on the viability and
operations of the agency's core business processes. By defining
possible failure scenarios associated with the Year 2000 problem,
the agency identifies threats to its core business processes. The
agency then analyzes the risk and impact of these

3 Year 2000 Computing Crisis: An Assessment Guide (GAO/ AIMD-
10.1.14, issued as an exposure draft in Feb. 1997 and in final
form in Sept. 1997). 4 Year 2000 Computing Crisis: A Testing Guide
(GAO/ AIMD- 10. 1. 21, issued as an exposure draft in June 1998
and in final form in Nov. 1998). 5 GAO/ AIMD- 10.1.19, August
1998. Background

B-281298 Page 4 GAO/GGD-99-66 Business Continuity Planning

potential threats and develops strategies to mitigate the impact
of these threats prior to potential system failure.

Contingency planning: This phase entails developing and
documenting contingency plans that specify the agency's response
to system failures in order to ensure the continued operation of
the agency's core business processes. These plans provide a
description of the resources, staff roles, procedures, and
timetables needed for implementation.

Testing: In this phase, the agency develops and executes test
plans to determine whether the contingency plans are capable of
providing the desired level of support to the agency's core
business processes and whether the plans can be implemented within
a specified period of time. The agency then updates its
contingency plans based on lessons learned and retests if
necessary.

In planning for possible Year 2000- related problems, agencies
need to consider not only the potential failures of their internal
systems but also disruptions related to the agencies' external
dependencies. Many agencies depend on information and data from
business partners, including other federal agencies, state and
local agencies, and private sector entities. In addition, agencies
need to consider the risks to public infrastructure services, such
as power, water, and voice and data telecommunications.

We conducted our review from November 1998 through April 1999 in
accordance with generally accepted government auditing standards.
Details of our objectives, scope, and methodology are presented in
appendix I. We requested comments on a draft of this report from
the Director of OPM or her designee. On April 2, 1999, we met with
OPM officials to obtain and discuss the agency's written comments,
which are summarized in the Agency Comments section and reprinted
in appendix IV.

The first phase of business continuity planning referred to herein
as initiation involves developing a planning strategy for ensuring
the continuity of agency operations in the event of Year 2000-
induced failures. As noted in our guidance on business continuity
planning, during this initiation phase, agencies need to create an
organizational structure for the planning project and establish a
master schedule and key milestones for completing the planning
effort. Our guide recommends creating a business continuity work
group that reports to senior agency management and includes
representatives from the agency's major business units. Through
the coordination of this work group, agencies would identify their
core OPM Developed a

Strong Planning Strategy for Its Year 2000 Continuity Efforts

B-281298 Page 5 GAO/GGD-99-66 Business Continuity Planning

business processes, establish key reporting requirements, and
obtain executive support for the planning effort.

Our review showed that OPM developed a strong planning strategy
for its Year 2000 business continuity efforts. In developing this
planning strategy, OPM established a project structure and
milestones for carrying out the planning effort, identified the
agency's core business processes, established key reporting
requirements, and obtained the concerted support and involvement
of senior managers in the agency.

OPM's Year 2000 business continuity planning efforts began in
April of 1998. At that time, OPM's Director designated the
agency's Chief of Staff to oversee the agency's continuity
planning process. The Chief of Staff formulated an executive
committee to select an OPM official to serve as the project
manager in directing the day- to- day activities of the agency's
Year 2000 continuity planning effort. As recommended in our
business continuity planning guide, OPM assembled a business
continuity work group to coordinate the agency's planning efforts.
The work group, which began meeting in June 1998, is led by the
business continuity project manager and is composed of officials
from each of OPM's 17 major business units. (See app. II for a
list of the units represented on the work group.) The designated
role of the work group was to coordinate the agency's planning
efforts through their respective OPM units and report to the
continuity project manager on the status of units' planning
activities.

Our business continuity planning guide states that agencies should
also develop a master schedule and milestones for the continuity
planning effort. OPM developed a master schedule that called for
the preparation of all the agency's draft 6 contingency plans by
December 1998. To determine whether the plans would be effective
if implemented, OPM established milestones to develop and test the
contingency plans by May 1999. The schedule called for OPM to
prepare its final contingency plans by June 1999.

In the early phase of the business continuity planning effort,
each agency also needs to identify those processes or functions
that are critical to the agency's ability to deliver important
services to its customers. These core business processes are to
serve as the foundation of the agency's Year 2000 continuity
planning efforts. OPM identified the following five core business
processes for the agency:

6 Until the contingency plans are tested to determine their
effectiveness, OPM officials refer to the plans as draft. OPM
Created a Project

Structure and Milestones for Its Planning Activities

OPM Identified Core Business Processes to Be Used in Its Planning
Process

B-281298 Page 6 GAO/GGD-99-66 Business Continuity Planning

 Provide retirement and survivor annuity payments.

 Process retirement and survivor claims.

 Administer health benefit and life insurance programs and
payments.

 Provide examining services to agencies.

 Provide communications to agencies and employees on critical
human resources issues.

In addition, OPM identified two key support functions that the
continuity work group would consider in its planning process: (1)
provide administrative and management information systems and (2)
provide information technology infrastructure.

When identifying core business processes, it is important that
agencies consider the critical agency systems that support these
core processes. Because the agency's mission- critical systems
support its core processes, these critical systems should receive
priority in the agency's Year 2000 program. At the time of our
review, OPM had designated 109 of its information systems as
mission- critical. Included in OPM's inventory of mission-
critical systems are complex retirement and insurance support
systems that process monthly annuity payments and collect funds
withheld by federal employees for retirement, health benefits, and
life insurance premiums. OPM officials told us that when they
assessed their systems to determine which ones to designate as
mission critical, they decided to take the broad approach of
including more rather than fewer systems. OPM officials said that
this approach would help to ensure that important systems received
agencywide attention.

In developing a sound continuity planning approach, agencies also
need to establish key reporting requirements. Within OPM, business
continuity and contingency planning is one of 14 components in the
agency's overall Year 2000 program. Under OPM's Year 2000 program
management approach, agency officials responsible for each of
these 14 components are to report monthly on their progress in
meeting Year 2000- related goals. (See app. III for a list of the
14 components and the responsible OPM units.) OPM initiated this
program management approach in August 1998 in response to our
earlier review of OPM's initial Year 2000 system conversion
efforts. In a July 1998 briefing with OPM officials, we raised
concerns that OPM had not developed a comprehensive Year 2000 plan
with scheduled tasks as specified in our Year 2000 assessment
guide 7 and that the lack of such a plan could affect OPM's
ability to achieve Year 2000 compliance. OPM

7 GAO/ AIMD- 10.1.14, September 1997. OPM Established Reporting

Requirements for Its Planning Effort

B-281298 Page 7 GAO/GGD-99-66 Business Continuity Planning

agreed with these observations and developed a Year 2000 plan with
scheduled tasks and a more structured reporting and control
mechanism.

OPM also established a reporting format for its business units to
use when preparing their Year 2000 contingency plans. In June
1998, OPM's continuity work group adopted the contingency plan
reporting format that the Social Security Administration (SSA) had
used for its contingency planning efforts. We had reported 8
earlier that SSA was generally regarded as a federal leader in
addressing the century date change. Additionally, in its May 1998
quarterly report on the status of the federal government's Year
2000 progress, OMB reported that SSA's business continuity and
contingency plan had been circulated as a model to other federal
agencies.

Our business continuity planning guide stresses the importance of
promoting executive ownership of the Year 2000 continuity planning
effort. Since the commencement of OPM's contingency planning
activities, OPM has made a concerted effort to obtain the support
and involvement of the agency's senior managers. For example,
OPM's Chief of Staff oversaw the business continuity work group's
initial efforts to coordinate the agency's Year 2000 continuity
planning activities. OPM's Deputy Director, newly appointed in
November 1998, has also taken an active role in the agency's
efforts to address the Year 2000 problem. In December 1998, the
Deputy Director assumed responsibility for overseeing the business
continuity work group's efforts to coordinate the agency's Year
2000 continuity planning activities.

After developing a business continuity strategy for the Year 2000
problem, agencies need to determine the risk and impact of
internal and external system failures on the viability and
operations of the agency's core business processes. During this
phase referred to herein as business impact analysis the agency
identifies Year 2000- related threats to the agency's core
processes. The agency then assesses the risk and impact of these
threats and identifies strategies to eliminate or reduce the
impact of the threats prior to potential system failures.

Our review of OPM's business impact analysis found that OPM
identified potential threats to the agency's critical functions
and identified strategies to mitigate these threats. We found
during our review, however, that when OPM analyzed the impact of
system failures on its core business processes, it had not
estimated and assigned risk to its mission- critical

8 Social Security Administration: Significant Progress Made in
Year 2000 Effort, But Key Risks Remain (GAO/AIMD-98-6, Oct. 1997).
OPM Obtained Senior

Managers' Support for Its Continuity Planning Efforts

OPM Developed Information to Assess the Risk of System Failures

B-281298 Page 8 GAO/GGD-99-66 Business Continuity Planning

systems. After reviewing a draft of this report, OPM provided us
with documentation that showed that the agency had taken
additional action to develop a Year 2000 risk assessment for each
of its 109 mission- critical systems. This assessment should
assist in providing OPM with vital information about the
likelihood of system failures and the risk of such failures to the
agency's core business functions.

In conducting a risk and impact assessment of core business
processes, agencies first need to identify potential Year 2000-
related threats, which represent circumstances or events that
could harm critical agency functions. As noted in our business
continuity planning guide, agencies identify these potential
threats by considering various Year 2000 failure scenarios. These
failure scenarios assume the loss of the agency's internal
mission- critical systems as well as potential failures related to
exchanging electronic data with business partners. The failure
scenarios should also address the potential disruption of
essential infrastructure services, including power and
telecommunications.

OPM identified potential threats to its critical functions through
its Year 2000 business continuity work group. Members of this work
group coordinated with their respective units in considering
possible Year 2000 failure scenarios and identified specific
threats to the provision of uninterrupted critical services to OPM
customers. For example, in identifying threats to its critical
process of providing retirement and survivor annuity payments, OPM
noted that some banks might not be able to receive electronic
funds transfer (EFT) payments, thus preventing customers from
receiving their retirement benefits.

After identifying potential Year 2000- related threats, agencies
need to assess the risk and impact of these threats on the
agency's core business processes. As noted in our business
continuity planning guide, the risk management process for
continuity planning calls for agencies to estimate and assign risk
to each of their mission- critical systems. This risk could be
related to the system's environment, hardware, software
interfaces, or other circumstances unique to the particular
system. For example, factors could include the number of
interfaces that the system has with external entities and the
current status of repairing and testing the system for Year 2000
compliance.

During our review, we found that when OPM assessed the risk of
Year 2000- induced failures for its core business processes, it
had not estimated and assigned risk to its mission- critical
systems. Therefore, OPM units that were assessing the risk of Year
2000 failures on core business processes OPM Identified Threats to

Its Core Business Processes OPM Assessed Risk to Its Mission-
Critical Systems

*** End of document. ***