Report 98116 Summary - February 1999

Year 2000 Computer Problem

:

The State's Agencies Are Progressing Toward Compliance but Key Steps Remain Incomplete

RESULTS IN BRIEF

This is our second report on state agencies' progress in resolving the problems with their computer systems caused by the year 2000, or the millennium bug, as it is sometimes called. As we reported in August 1998, state agencies are making progress toward correcting critical computer systems to ensure the uninterrupted delivery of essential services to Californians; however, we are concerned that many of the 14 agencies that provide the most critical services are still not done. Eleven agencies have not completely tested their computer systems, nor have 7 corrected or replaced the embedded chips that control certain of their systems' computerized activities.

For example, the Employment Development Department estimates that it will not complete testing of the unemployment insurance system until September 1999. This critical system manages over $2.9 billion in annual payments to unemployed workers. In another instance, the Department of Corrections does not expect to correct and test embedded technology in the electrified fences at 23 prisons until September 1999. Such late completion dates may not give the agencies enough time to resolve unforeseen problems before January 1, 2000, which could cause financial hardship to or imperil the safety of Californians. Additionally, five agencies have not completely resolved critical issues with their data exchange partners.

Moreover, 14 of 20 computer systems at these vital agencies are mission-critical, or essential to core business functions and, according to a governor's executive order, should have been fixed by December 31, 1998, but were not. Worse yet, with less than 11 months until the new millennium begins, 11 agencies still have no business continuation plans if their computer systems are not corrected in time or fail to work. Equally unprepared are almost two-thirds of all 462 state programs because agencies still have critical tasks to complete, such as executing and documenting full system testing, correcting embedded technology, or remedying data exchange problems. Over half of all programs must also develop business continuation plans to cover the possibility that their remediation efforts might fail.

We further found that one of the State's two large data centers that support hundreds of state clients has a poor strategy to protect its clients from the ill effects caused by year 2000 problems. The Teale Data Center (Teale) lacks a year 2000 plan that addresses critical client services and has allocated few resources to year 2000 tasks in general. Although Teale has developed a time machine environment for testing a system's ability to function after December 31, 1999, it does not monitor its clients' use of this environment. Neither has Teale required clients to abandon noncompliant software that could corrupt data or destabilize its processing environment.

In contrast, the Health and Welfare Data Center (HWDC) has a comprehensive year 2000 plan that addresses critical client services and has devoted significant resources to executing its plan. The HWDC also encouraged its clients to perform year 2000 testing in its time machine environment and is monitoring client use to ensure its mainframe computers are year 2000 ready. In addition, the HWDC is precluding its clients from using software that is not year 2000 compliant.

With time running out and no potential for an extension, it is troubling to find so many computer systems that support such a large number of state programs-many delivering vital services to Californians-are still in need of some remediation before state agencies can ensure the risk of failure is minimal. What is more disturbing is that many of the same agencies that have not fully remediated the computer systems supporting their programs also have not completed business continuation plans to deliver services if their efforts are further delayed or fail to work.

Finally, of additional concern is the fact that no single entity is charged with overseeing the year 2000 readiness of electric and telecommunication utilities essential to the delivery of state and other public services. Instead, a variety of entities, including commissions, elected boards, and nonprofit organizations, regulate and monitor portions of the systems. For example, the California Public Utilities Commission is monitoring portions of the electrical industry and all of the telecommunication providers in California, but it just began these efforts and may not present results until at least April 1999. Further, although the North American Electrical Reliability Council is monitoring efforts on a national level, its reported results are preliminary and based on self-reported information.