This summary report of the Auditor General makes it clear that the risks to the government and the economy are huge. The report adds: "Taking these issues into consideration, it may already be too late for some agencies to substantially reduce their Year 2000 risks in the time available. . . . Few agencies have undertaken comprehensive testing of systems and applications and few have contingency, business resumption or disaster recovery plans in place to deal with Year 2000 related failures."
At the end of this long report is a list of bureaucratic recommendations to which there are attached no sanctions. Without money (carrot) or threats (stick), bureaucrats in every Australian agency will know that this report is mostly public relations.
What this report makes clear is that there is no systematic y2k repair project in Australia.
My assessment: At this late date, there is no way the Australian government will overcome the long list of problems surveyed in this report.
What is true for Australia is true for every other nation.
* * * * * * *
Audit Report No. 27 1997-98
Part One - Summary And Recommendations
1. Over the next two years, a number of private and public sector organisations may experience business disruptions resulting from an inability of computerised business systems, or other equipment and machinery using micro-processors, to represent the year 2000 as a two digit year date. This source of potential systems malfunction has been variously referred to as the 'Year 2000 problem' or the 'millennium bug'. The core business functions of government entities are heavily reliant on computerised information systems and electronic equipment and, as a result the Year 2000 problem presents significant potential risks to the Commonwealth. Computer systems critical to the operations of government are complex and are often highly integrated, both within and between Commonwealth agencies and other legal entities, and externally with other levels of government, the financial sector, industry and with a range of clients.
2. Among the risks to key government functions associated with the Year 2000 problem are:
•government revenue not being received or being processed incorrectly;
•program moneys not being paid or paid correctly (including payments to beneficiaries);
•disruption of business critical processes, including program delivery, with consequent costs arising from, for example, lost productivity, reduced efficiency and loss of stakeholder confidence;
•legal risks arising from liability for adverse effects upon other parties such as contractors or clients/customers;
•the risk that government entities may be unable to fulfil statutory obligations; or
•risks to personal security or safety. . . .
3. The Year 2000 problem is basically a management/business problem that needs to be addressed in a corporate manner and communicated to all staff as a shared concern.
4. Year 2000 related systems malfunctions have already occurred in the public and private sectors in Australia and overseas. Many business processes depend on date-sensitive calculations or date-related 'triggers' which already require a capacity to enter dates from 2000 and beyond. Computerised information systems which have not been modified will react in a variety of ways to the Year 2000 problem. Some may not be able to cope and will simply fail to operate. Others may continue to run, but will produce meaningless or erroneous data. . . .
7. Overall, the ANAO found that the majority of agencies surveyed are not following a systematic and structured approach to the identification, ranking and treatment of Year 2000 risks and, as a result, it is probable that many agencies have not yet identified the full extent of their Year 2000 exposure. The majority of agencies reported that they have not integrated their management of Year 2000 risks within a broader corporate risk management framework, although it is obvious that this is predominantly a management problem. There are, however, several indications of good practice that reflect what can and should be done.
8. The ANAO considers that all agencies should review, and where necessary re-orient their management of, and strategies for dealing with, the Year 2000 problem. Unless agencies can provide reliable assurances about their management of business risks associated with the Year 2000 problem, the possibility exists that core functions of government and the interests, and confidence, of clients and other stakeholders will be adversely affected with wide ranging potential consequences for program outcomes. As with many other major IT projects, implementing solutions to the Year 2000 problem can involve long lead times to which must be added time for testing and providing assurance to management. Taking these issues into consideration, it may already be too late for some agencies to substantially reduce their Year 2000 risks in the time available. . . .
Risk management: Sound risk management arrangements are seen as crucial to the effective management of the Commonwealth's exposure to risk as a result of the Year 2000 problem. Most agencies surveyed have undertaken some identification and analysis of Year 2000 risks, but few agencies have done so as part of an overarching corporate risk management plan. This is essential if the problem is to be treated as a business risk affecting the whole agency. Only 36 per cent of agencies responding to the survey reported having a corporate risk management plan. . . .
Few agencies have undertaken comprehensive testing of systems and applications and few have contingency, business resumption or disaster recovery plans in place to deal with Year 2000 related failures. Agencies need to take into account the probability that testing activities may require generous lead times and in some cases will require the re-direction of internal resources and re-allocation of priorities which, in the short term at least, may affect the efficiency and effectiveness of some business operations. However, there is no real substitute for proven performance under operational conditions.
Implementation, management and monitoring: Year 2000 project planning and management is generally lacking in the majority of agencies surveyed. Generally, considering the potential risks and costs involved, agencies have not demonstrated that sufficient internal resources have been assigned to address the Year 2000 problem or that they have adequately assessed the need for the procurement of products and services necessary to assist in becoming Year 2000 compliant. . . .
The majority of agencies report that their Year 2000 projects are primarily a responsibility of an information technology (IT) functional unit. As a result there is, apparently, insufficient attention being given in many agencies to the non-IT risks and effects of the Year 2000 problem, including risks associated with the Year 2000 compliance of suppliers of business critical goods and services. . . .
12. The ANAO found that less than half of the agencies surveyed were able to provide estimates of the total cost for their agency to become Year 2000 compliant. The evidence indicates that agencies do not have access to a consistent and systematic methodology for the analysis and projection of Year 2000 costs. . . .
Unless agencies can provide reliable assurances about their management of business risks associated with the Year 2000 problem, the possibility exists that core functions of government and the interests, and confidence, of clients and other stakeholders will be adversely affected with wide ranging potential consequences. . . .
The majority of agencies have not reached a point in the progress of their Year 2000 projects where they are in a position to undertake compliance testing of their systems and business applications and, as a result, are not yet in a position to offer assurances that their systems will operate as required in the year 2000 (or earlier, in the case of software applications which will need to use '2000' dates before 1 January 2000).
19. Almost one quarter of agencies surveyed reported that they do not have a Year 2000 project in place; approximately one third reported that they do not have an overall Year 2000 project manager or some designated coordinator; and nearly half reported that they have not formally defined the roles and responsibilities of individuals responsible for responding to the Year 2000 problem. In addition, almost one third of agencies reported that they do not provide periodic reports on Year 2000 progress to their chief executive or executive board of management. . . .
20. A majority of agencies surveyed have not yet reached a stage where they can confidently and reliably estimate their total exposure to the Year 2000 problem; identify the range and number of business inputs which are potentially affected; assign priority to systems, applications, infrastructure, products or services in terms of actual Year 2000 risk and potential effects on core business functions; provide assurance about the resolution of the Year 2000 problem for each of the business inputs upon which they rely; or offer assurances that their Year 2000 projects will be completed on time.