GAO offers guidelines for contingency plans

The General Accounting Office last week released a draft report to guide federal agencies through developing Year 2000 contingency plans in case computer systems fail in the next millennium.

Claiming many agencies "may face major disruptions in their operations" because of Year 2000 problems that were not properly fixed, GAO advised that "agencies must start business continuity and contingency planning now to reduce the risk of Year 2000 business failures."

Without the plans, unforeseen computer failures could cause airline flight delays, disrupt tax refunds and delay veterans' benefits payments and the issuance of college loans, GAO reported.

"It's imperative that contingency planning be under way right now for all agency activities," Gene Dodaro, GAO's assistant comptroller general, told a joint hearing of the House Government Reform and Oversight Committee's Subcommittee on Government Management, Information and Technology and the Science Committee's Subcommittee on Technology last week.

Guides Serve Two Camps

The guidelines are not only for systems that are projected to fail but also for systems that agencies believe to be compliant but that may turn out not to be. "As the clock is ticking and time is running out, more government agencies are concerned that they may not have enough time," said Joel Willemssen, GAO's director of information resources management. "At the same time, agencies that do make it must have contingency plans for their key business processes because there's no 100 percent guarantee that their renovation and validation work will not have some anticipated problems."

The draft, which is fashioned from GAO's guidelines for the five phases of OMB's Year 2000 compliance plan, has four phases that GAO believes federal agencies should follow as they prepare for potential failures.

While GAO is inviting comments from agency chief information officers and the report is subject to change, the four phases outlined in the draft report are:

* Initiation, which is the first step, identifies the person responsible for developing a high-level strategy that includes schedules and milestones that must be backed by executive support.

* Business impact analysis, in which agencies will assess the consequences of computer failures to their core business processes. This phase involves identifying agencies' Year 2000-related threats and risks and includes assessing infrastructure risks, such as threats to telecommunications.

* Contingency planning, which includes identifying and documenting contingency plans for each of the agencies' major lines of business.

* Testing, which includes end-to-end testing that ensures that the contingency plans will work as planned.

Dodaro said the Federal Aviation Administration and the Health Care Financing Administration are two agencies that particularly need to develop contingency plans because those agencies are so far behind in fixing computers.

"We have recommended that FAA develop contingency plans because of the difficulties it's facing and the late start that it received," Dodaro said. "Also, great concern continues to revolve around the systems to pay Medicare claims." With about 800 million claims processed a year, "[HCFA] continues to be concerned that the Medicare contractors will not be ready to meet the March 1999 deadline for completing the implementation phase."

John Koskinen, chairman of the President's Council on the Year 2000 Conversion, testified that he is conducting several meetings with agency chiefs, their deputies and CIOs who are leading the Year 2000 effort. Koskinen noted that discussions on contingency plans are a high priority. "In each meeting, I have been asking three key questions: 'What are your major risks? What are the most significant obstacles to removing those risks? What contingency plans are appropriate in light of that analysis?' " he said.

Many agencies have downplayed contingency plans, saying they are more concerned with fixing their lines of code. Cynthia Warner, chairwoman of the General Services Administration's support subcommittee for the CIO Council's Committee on the Year 2000, said contingency plans are needed, "but obviously they won't be used now" because agencies are spending more time fixing and testing systems.

However, Warner stressed the need for agencies to take contingency planing seriously. "What's important is that agencies do a thorough job and take the exercise seriously," she said. "It's also important that the contingency plan be completed in the event [that] system failures occur."

The Labor Department, which was added to the Office of Management and Budget's most-critical list of agencies that are showing "insufficient progress" in their Year 2000 conversion work, also welcomed the GAO draft. "The Department of Labor believes the GAO document on contingency planning is a very comprehensive document, timely addressing a topic on which guidelines have been scarce," said Shirley Malia, Labor's deputy CIO. "As part of our Year 2000 program, the Department of Labor is currently developing contingency plans for our benefits systems, financial systems and selected priority data exchanges. The GAO guidelines will greatly assist us in our contingency plan development process."