Year 2000 Computing Crisis: Success Depends Upon Strong Management and
Structured Approach (Testimony, 09/25/97, GAO/T-AIMD-97-173).

GAO discussed the impact of the year 2000 on automated systems and the
guidelines for how to go about addressing the Year 2000 problem.

GAO noted that: (1) correcting the problem will be labor-intensive and
time-consuming; it must also be accomplished while systems continue to
operate; (2) typical systems contain tens or hundreds of computer
programs, each with thousands, tens of thousands, or even millions of
lines of software code; (3) examining software code for date format
problems, and making the necessary changes, is why the process is so
time-consuming; (4) it will be necessary to communicate with all
exchange partners to ascertain whether the systems through which data
are received have been made Year 2000 compliant; (5) an important point
to remember in deciding how to approach the overall problem is that,
while the solution may be tedious to carry out, the challenge is not
primarily technical, but managerial; (6) heads of organizational units
must communicate the importance of Year 2000 compliance to employees,
and work closely with the chief information officer or equivalent; (7)
in its evaluation of several federal agencies' plans for addressing Year
2000 problems, GAO is finding that, in many instances, organizations
need to improve their management of information technology; (8)
especially in cases in which there is little experience in dealing with
large-scale software conversion or systems development projects, it is
important that tested, structured systems development and program
management approaches be followed; (9) GAO has developed a guide that
constitutes a framework for organizations to use in assessing their
capability to achieve Year 2000 compliance; (10) the guide is divided
into five sections that correspond with the five phases that GAO sees
representing a Year 2000 program; (11) phase 1, Awareness, encompasses
problem definition and executive support and sponsorship; the Year 2000
team is assemble and an overall strategy developed; (12) in phase 2,
Assessment, the severity of potential failures from uncorrected systems
is gauged, inventories of systems are conducted, and strategies for
implementing necessary changes are developed; (13) in phase 3,
Renovation, technical system elements are converted or replaced; (14) in
phase 4, Validation, corrected systems are tested; (15) in phase 5,
Implementation, corrected systems are put into operation; (16)
management of the overall Year 2000 program and its individual projects
is ongoing, throughout all phases; (17) the program should be planned
and managed as a single, large information-systems project; and (18)
along with planned monitoring, policies and procedures that must be in
place include quality assurance, risk management, scheduling and
tracking, and budgeting.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-97-173
     TITLE:  Year 2000 Computing Crisis: Success Depends Upon Strong 
             Management and Structured Approach
      DATE:  09/25/97
   SUBJECT:  Computer software verification and validation
             Information systems
             Systems conversions
             Data integrity
             Strategic information systems planning
             Information technology
             Computer software
             Information resources management

             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Before the Subcommittee on Public Safety and Administration,
Committee on Appropriations, House of Delegates, State of Maryland

For Release on Delivery
Expected at
3 p.m.
Thursday,
September 25, 1997

YEAR 2000 COMPUTING CRISIS -
SUCCESS DEPENDS UPON STRONG
MANAGEMENT AND STRUCTURED APPROACH

Statement of Joel C.  Willemssen
Director, Information Resources Management
Accounting and Information Management Division

GAO/T-AIMD-97-173

GAO/AIMD-97-173T


(511435)


Abbreviations
=============================================================== ABBREV


============================================================ Chapter 0

Mr.  Chairman and Members of the Committee: 

I am honored to be here today and look forward to sharing with
Maryland lawmakers the perspective of the U.S.  General Accounting
Office on addressing one of the most far-reaching technology issues
of the computer age:  the impact of the year 2000 on automated
systems.  This issue has received a great deal of attention--and
deservedly so.  The upcoming change of century poses significant
risks to virtually all functions, public and private, that rely on
computer systems.  Because of its potential effect on federal
operations, the Year 2000 problem has been designated one of GAO's
high-risk areas.\1

The potential impact on state government is likewise immense.  As in
the private and federal sectors, there is much that needs to be done
if states are to avoid the problems that will almost inevitably
follow from systems that have not been renovated, replaced, or
retired.  Many of the state services on which your constituents
depend emanate from automated systems; investing in making these
systems what is called Year 2000 compliant is absolutely necessary to
avoid the inevitable chaos that will result from systems that have
not been converted. 

Most of my presentation to you today will consist of guidelines for
how to go about addressing the Year 2000 problem.  First, however, a
quick look at what the problem is, and why it happened. 


--------------------
\1 High-Risk Series:  Information Management and Technology
(GAO/HR-97-9, February 1997). 


   THE PROBLEM:  2000 IS NOT 1900
---------------------------------------------------------- Chapter 0:1

For the past several decades, computer systems have typically used
two digits to represent the year, such as "97" for 1997, in order to
conserve electronic space and reduce operating costs.  In this
format, however, 2000 is indistinguishable from 1900 because both are
represented as "00." As a result, if not modified, computer systems
or applications that use dates or perform date- or time-sensitive
calculations may generate incorrect results beyond 1999. 

Year 2000-related problems are not merely hypothetical; they have
already occurred.  An automated Department of Defense information
system erroneously deactivated 90,000 inventoried items as the result
of an incorrect date calculation; correcting the error took 400 hours
of work. 

Who could be affected?  Virtually everyone.  Every program that
provides benefits in any way is subject to these problems because
they all inevitably rely on age, date of birth, or some other kind of
date-sensitive data in determining eligibility.  Here's how:  Suppose
a recipient of a particular state benefit reaches eligibility at age
65.  If born in 1930, eligibility began in 1995.  Yet if, in 2000, an
uncorrected computer system reads the current date of "00" as 1900,
the recipient would be seen as negative 30 years old--not even born
yet.  As a result, benefits that had been received for 5 years could
cease, because the system would judge the individual to be
ineligible. 

Younger citizens would likewise be affected.  If someone born in 1984
seeks to obtain a driver's license in 2000, at age 16, he or she had
better hope that the system used by the motor vehicles department has
been converted.  Otherwise, when "00" is read as 1900, the teenager
will be seen as negative 84 years old--hardly ready to drive. 


   CORRECTING THE PROBLEM
---------------------------------------------------------- Chapter 0:2

Mr.  Chairman, correcting the problem--in the State of Maryland as
elsewhere--will be labor-intensive and time-consuming; it must also
be accomplished while systems continue to operate.  Systems may well
have been designed and developed 20 to 25 years ago; they may have
used a variety of computer languages--many of them old or
obsolete--and documentation may be poor.  Typical systems contain
tens or hundreds of computer programs, each with thousands, tens of
thousands, or even millions of lines of software code. 

Examining software code for date format problems, and making the
necessary changes, is why the process is so time-consuming.  The
systems also typically have numerous components--hardware, operating
systems, communications applications, and database software--that are
likewise affected by the date problem.  Accordingly, regardless of
some vendor claims, no one single solution exists. 

States will need to be careful to ensure that incoming data from any
source external to a particular system is Year 2000
compliant--whether that external source be a federal system, one from
another state, the private sector, or even another system within the
same state.  It will be necessary to communicate with all exchange
partners to ascertain whether the systems through which data are
received have been made Year 2000 compliant.  Where this is not the
case, appropriate bridges will need to be developed to safeguard
converted state systems from being corrupted by exposure to data from
noncompliant systems. 

An important point to remember in deciding how to approach the
overall problem is that while the solution may be tedious to carry
out, the challenge is not primarily technical, but managerial. 
That's why a main predictor of success will be an organization's
ability to harness strong leadership and program management
capabilities.  Heads of organizational units must communicate the
importance of Year 2000 compliance to employees and work closely with
the chief information officer or equivalent. 

Over the past year we at GAO have evaluated plans for addressing the
year 2000 at several federal departments or agencies, including the
Department of Veterans Affairs' Veterans Benefits Administration, the
Department of Defense, and the Department of Health and Human
Services' Health Care Financing Administration.  Several other
reviews are ongoing.  We are finding that, in many instances,
organizations need to improve their management of information
technology.  Especially in cases in which there is little experience
in dealing with large-scale software conversion or systems
development projects, it is important that tested, structured systems
development and program management approaches be followed. 

GAO has developed a guide that constitutes a framework for
organizations to use in assessing their capability to achieve Year
2000 compliance.\2 Released as an exposure draft in February and in
final just last week, it provides information on the scope of the
challenge and offers a structured, step-by-step approach for
reviewing the adequacy of an organization's planning and management
of its Year 2000 program.  The guide draws on the work of the federal
Chief Information Officers Council Subcommittee on Year 2000, and
incorporates guidance and practices identified by leading information
technology organizations.  I have copies with me today that I would
be happy to leave with you. 

The guide is divided into five sections that correspond with the five
phases that we see representing a Year 2000 program.  Before going
into greater depth for each phase, I'd like to first describe them in
broad terms.  The phases are awareness, assessment, renovation,
validation, and implementation.  Attached to my statement today--and
illustrated on my two presentation boards--are representations of
both the Year 2000 program phases and a timeline showing the duration
of each phase. 

Phase 1, AWARENESS, encompasses problem definition and executive
support and sponsorship; the Year 2000 team is assembled and an
overall strategy developed.  In phase 2, ASSESSMENT, the severity of
potential failures from uncorrected systems is gauged, inventories of
systems are conducted, and strategies for implementing necessary
changes are developed.  Phase 3 is RENOVATION, in which technical
system elements are converted or replaced.  In phase 4, VALIDATION,
corrected systems are tested.  Finally, phase 5 is IMPLEMENTATION: 
corrected systems are put into operation. 

Management of the overall Year 2000 program and its individual
projects is ongoing, throughout all phases.  The program should be
planned and managed as a single, large information-systems project. 
Along with planned monitoring, policies and procedures that must be
in place include quality assurance, risk management, scheduling and
tracking, and budgeting. 


--------------------
\2 Year 2000 Computing Crisis:  An Assessment Guide
(GAO/AIMD-10.1.14, September 1997). 


   YEAR 2000 PROGRAM PHASES:  A
   STRUCTURED APPROACH
---------------------------------------------------------- Chapter 0:3


      AWARENESS
-------------------------------------------------------- Chapter 0:3.1

As I mentioned earlier in the context of leadership, awareness is a
critical first step.  Many people who may have heard something about
a Year 2000 computer problem do not yet fully understand what it's
about and why it matters.  It is imperative that state employees
understand this.  Also in this phase, a specific unit within the
overall organization is identified to take the lead in correcting the
problem.  Senior state information technology specialists, in concert
with the project teams, need to select a workable approach to the
problem, examine the existing information resources management
infrastructure, and obtain needed resources. 

More specifically, during this phase an organization should focus its
energies on defining the Year 2000 problem, assessing the adequacy of
program management capabilities, developing an overall strategy,
appointing a program manager, and establishing a program office. 


      ASSESSMENT
-------------------------------------------------------- Chapter 0:3.2

The main thrust of assessment is separating the mission-critical
systems--which must be converted or replaced--from important ones
that should be converted or replaced and marginal ones that may be
addressed now or deferred.  It is important to remember that the Year
2000 problem is primarily a business problem, not just an issue of
information technology.  This is why it is essential to assess the
impact of potential Year 2000-induced system failures on core
business functions and mission-critical processes. 

To determine specifically what must be done and when, it is essential
to inventory information systems in each business area, assign
priority to individual systems, establish project teams for business
areas and major systems, and develop a program plan.  Organizations
should also start developing overall validation strategies and
testing plans, and identifying and acquiring tools.  In addition, in
order to ensure the continuity of core business processes should
renovations or replacements not be completed in time, realistic
contingency plans should be developed for mission-critical systems. 
Finally, assessments also need to include other systems that affect
the business, such as telephone switching systems. 


      RENOVATION
-------------------------------------------------------- Chapter 0:3.3

This phase deals with making actual changes, whether eliminating,
converting, or replacing hardware and software, and documenting those
changes.  In all cases, it will be important to consider the complex
interdependencies among systems and applications.  All changes also
need to be consistent throughout the organization, and information
about changes clearly disseminated to users. 

In addition to the conversion of selected applications and related
system components, the organization must also document code and
system changes and track and measure renovation processes. 


      VALIDATION
-------------------------------------------------------- Chapter 0:3.4

The validation phase may well take over a year to complete, and
consume up to half of the Year 2000 program's budget and resources. 
This is due to the complex interrelationships among multiple
applications, databases, and operating systems.  Yet this is
precisely why testing and validation are so essential:  It is the
only way to ensure that changes expected to work do in fact work.  It
will be important for program managers to satisfy themselves that
their testing procedures are indeed up to this challenge, that their
results can be trusted. 

During this phase, organizations should document test plans and
schedules; develop a strategy for managing testing of
contractor-converted systems; implement a Year 2000 test facility;
perform system testing; and define, collect, and use test
measurements for managing the validation process. 


      IMPLEMENTATION
-------------------------------------------------------- Chapter 0:3.5

Implementing Year 2000 compliant systems and their components
requires extensive integration and acceptance testing to ensure that
all components perform as needed in a heterogeneous operating
environment.  In addition, since not all components will be converted
or replaced simultaneously, organizations may for a time operate with
a mix of Year 2000 compliant and noncompliant systems.  To reduce
risk as systems are converted or replaced, it may be wise to operate
in a parallel processing mode for a period for selected
systems--using old and new systems side-by-side simultaneously--so
that this redundancy may act as a fail-safe mechanism until it is
clear that all changed systems are operating correctly. 


-------------------------------------------------------- Chapter 0:3.6

In closing, Mr.  Chairman, I would like to thank you for inviting me
to speak here today.  The Year 2000 problem is serious and could well
become a crisis for any organization--public or private--that fails
to take its demands seriously.  However, with sustained effort, it
can--and must--be addressed.  I would be pleased to respond to any
questions that you or other Delegates may have at this time. 


YEAR 2000 PROGRAM PHASES
=========================================================== Appendix I



   (See figure in printed
   edition.)


YEAR 2000 MILESTONES
========================================================== Appendix II



   (See figure in printed
   edition.)


*** End of document. ***