House of Commons - Public Accounts

Select Committee on Public Accounts Sixty-Sixth Report

MANAGING THE MILLENNIUM THREAT

PROGRESS MADE IN CENTRAL GOVERNMENT AND THE WIDER PUBLIC SECTOR

8. Although the responsibility for ensuring that government business continues without disruption in the year 2000 rests with each government department and agency, at the centre the Office of Public Service, through the Central Information Technology Unit and the Central Computer Telecommunications Agency have a monitoring, advisory and coordination role. Since 30 March 1998, this role has extended across the whole public sector.[3]

9. The Committee asked the Office of Public Service what accountability they had for ensuring that the problem was tackled successfully. They told us that had to ensure that their own internal systems and those of their agencies were year 2000 compliant. In addition, they were accountable for ensuring that the Chancellor of the Duchy of Lancaster was properly advised, and had problems in other departments drawn to his attention, so that he could fulfil his responsibility for:

monitoring the situation;

drawing areas of concern to the attention of particular ministers;

putting urgency behind the system; and

disclosing the situation to public scrutiny.[4]

10. They added that originally these responsibilities covered central government, but in March 1998 had been extended to the wider public sector. Although the potential control of ministers collectively over the wider public sector was clearly less direct, they hoped to progressively increase the level of scrutiny and detail for at least the key areas.[5]

11. We asked what action the Office of Public Service could take if serious problems emerged through the monitoring process. They said that it would not be for them to instruct a department to take remedial action. But if the Chancellor of the Duchy was unhappy he would take it up with the relevant minister.[6]

12. The departmental progress reports published in November 1997 and March 1998 were of variable content and format and revealed slippage against completion targets.[7] In the light of these reports, we asked the Office of Public Service how confident they were that government business would be able to continue without disruption in the year 2000. They told us that these reports, and those in June 1998, showed slippage in the expected completion dates with some cases getting uncomfortably close to the year 2000, leaving no room for manoeuvre or error. Slippage on business critical systems was not very serious, and 85 per cent of the returns predicted completion for business critical systems by June 1999, which is about three months later than previously forecast. There had been a little more slippage on other systems, and 87 per cent of these were now predicted for completion in September 1999. They took the view, however, that this was not as bad as it seemed because bit by bit there was increased coverage of the less critical systems.[8]

13. We asked about the risks of running right up to the wire. The Office of Public Service pointed out that central government was now about 30 per cent of the way through the actual correction programme for business critical systems, and so were getting more of a handle on what was going on. They told us, however, that there were clearly some departments they were concerned about, particularly those declaring completion dates in the second half of 1999.[9]

14. The Committee asked the Office of Public Service whether they had undertaken a comprehensive assessment of the risks posed by a failure to achieve compliance in the wider public sector, and what assurance they could give us that the wider public sector could achieve compliance by year 2000. They told us they had not yet undertaken such an assessment. The June 1998 return was the first time they had attempted to put comprehensive information together for the wider public sector and more work was needed to finetune the analysis and ensure they had a comprehensive picture.[10]

15. They pointed out that ministers had drawn the year 2000 problem to the attention of all public bodies in May 1996 and that, although returns hitherto had been pretty sketchy, this did not necessarily imply that actual progress was unsatisfactory. They intended to increase the level of scrutiny, picking on certain key sectors where the risk was greatest and ensuring their returns were in similar detail to those being made for central government.[11]

16. The total cost of achieving year 2000 compliance in central government departments and agencies was estimated in November 1997 at £370 million. By March 1998 the estimate had risen by 6 per cent to £393 million.[12] The Office of Public Service told us that their latest estimate was £402 million spread over at least two financial years and probably three.[13]

17. We asked how confident the Office of Public Service were about the accuracy of this figure. They admitted that they would not be surprised if the estimate increased a little bit, but it was unlikely to do so at the same rate as in the past, if only because the proportion of work still undone was reducing all the time.[14]

18. The Prime Minister said on 30 March 1998 that estimates which put the total public sector cost at up to £3 billion were reasonable.[15] We asked the Office of Public Service how this figure had been arrived at. They told us that the figure was not a forecast, but one that had seemed reasonable to the Prime Minister. They added that the £402 million estimate was for central government including the armed forces. The figure for the NHS in England was up to about £320 million, though they did not have the figures for the NHS in Wales, Scotland or Northern Ireland. And for local government, the Local Government Association had put the cost at about £500 million. In total this added up to something short of £1½ billion. In addition, there were other areas of the wider public sector which they had mapped rather less well so far, such as London Transport, the Post Office, British Nuclear Fuels and the Civil Aviation Authority. Overall, they concluded that there was ground for thinking at £3 billion was probably in the right ball park.[16]

19. We asked the Office of Public Service how far the Government's IT programme would be delayed by the diversion of resources into combatting the millennium threat. They pointed out that of the £2 billion the Government spends each year on IT procurement and services, expenditure of £400 million over two or three financial years on the millennium threat was not hugely disproportionate. Tackling the threat had changed some priorities within programmes, accelerating replacements in some cases and postponing updates in others, but they had had no signs that diversion of resources had become a major worry to the departments.[17]

20. We asked the Treasury if it was their policy that year 2000 costs would be absorbed by Departments irrespective of any difficulties this might cause. They told us that the Government's current policy was that the costs should be met from within existing plans. However, as much of the activity would be replacement of hardware and software which may well have been a requirement in any event, not all of the £3 billion would be an additional call on resources. They were fairly confident that the Government would not allow a situation to arise where compliance would not be achieved because of financial constraints, and they assured us they would react sensibly to cost increases brought to their attention which could not be absorbed.[18]

21. Overall departments and agencies claim that they have the necessary skilled resources available inhouse or from existing suppliers of contracted out services. However, there is a risk that as more detailed work is done, revealing the need for additional staff, sufficient staff will not be available or costs will rise as departments and agencies find they have to pay premium rates. Already the Ministry of Defence had signalled their concerns about emerging staff shortages.[19]

22. The Committee asked the Office of Public Service whether they were confident that sufficient skilled staff would be available. They told us that loss of skilled staff did not appear to be a problem, possibly because civil service employment tends to be a little less volatile than other areas. Many departments had outsourced the provision of IT services and they did not see serious signs of any failure of suppliers maintaining necessary staffing levels. Others, for example the Scottish Office, were seeking to retrain many people in these skills. So their assessment was that while staffing continued to be a matter of concern it had proved less of an issue than they had thought it might be.[20]

23. We asked whether the potential staffing difficulties reported by the Ministry of Defence posed any threat to our defence capability. The Office of Public Service said that the Ministry of Defence were concerned about skill supply shortage, but the general messages from them concerning strategic or operational risks were reassuring.[21] They were giving priority to those systems which were critical to maintaining the operational effectiveness of the Armed Forces, and were confident that all key operationally critical systems, including those relating to strategic defences would be rectified before problems were encountered.[22]

24. In view of the potential impacts of failures in computer systems and electronic equipment, effective contingency plans are essential. In his Report, the Comptroller and Auditor General noted that Departments and agencies needed to bring their business continuity plans up to date to deal with the impact of failure of their own systems and those of third parties.[23] We therefore asked Office of Public Service what action had been taken to ensure all bodies had adequate business continuity plans in place. They told us it was a standing arrangement that right through government there were disaster plans to cover breakdowns, such as a failure of electricity. They assured us that all departments and agencies were engaged in bringing these plans up to scratch with specific reference to the year 2000 problem. These plans had to cope with problems in their own systems, with problems in the systems of third parties with whom they had electronic links, and with problems in nonIT suppliers including public utilities. About half the departments and agencies had year 2000 adjusted contingency plans in place though they varied in scope and detail.[24]

25. The Committee asked the Office of Public Service if it was possible to recover remedial costs from suppliers. The said that in their view it was wrong to imply that the Year 2000 issue was somebody's fault. A large part of what was being corrected was a failure to take account of the year 2000 problem in systems, some of which were installed a quarter of a century ago when people did not expect their systems or particular software programmes to last as long as that. [25]

26. They said that the Central Computer and Telecommunications Agency had issued guidance in September 1996 that provided for year 2000 compliance as a standard requirement on purchase of all new IT systems. And the general question of supplier liability was addressed in the six volume guidance the Central Computer and Telecommunications Agency had published. They had not issued a specific guidance letter on liability questions but it was a matter they were looking into.[26] They had undertaken some initial work on the question of legal liabilities, but the priority was to tackle the problem first and unless warranties had been given at that time, they thought it unlikely that damages could be claimed in most cases.[27] And it was for individual departments to tackle supplier liability, depending on the terms of individual contract or procurement.[28]

Conclusions

27. Progress reports for central government already show some slippage and some Departments do not now expect to complete their work until the second half of 1999. As a result, we cannot be sure that government business will not be disrupted in the year 2000, and in some cases there is little room for manoeuvre if things go wrong. The Office of Public Service need to direct particular attention to those central government departments that do not expect to complete their work until the second half of 1999.

28. We are concerned that the estimated cost to central government bodies rose by 9 per cent between November 1997 and June 1998. However we note the view of the Office of Public Services that although costs may rise above the latest estimate of £402 million, they should not rise as rapidly as in the past.

29. We note the Office of Public Service's view that the £400 million required by central government can be found from within existing budgets, partly by rescheduling replacement programmes, without any further impact on services. And we are encouraged by the assurance from Treasury that if costs cannot be absorbed by departments they would react sensibly. We expect the Office of Public Services to draw the attention of Treasury to any areas where resource constraints put timely completion of the programme at risk.

30. We are disappointed that the first attempt to monitor progress across the wider public sector was in June 1998, some one and a half years after the programme began. This has prevented the Office of Public Service from undertaking a comprehensive risk assessment. In the absence of such an assessment, and in view of the patchy returns received so far, we are concerned about the readiness of the wider public sector to cope with the Year 2000 issue and about whether resources are being targeted on those business critical systems most at risk. We expect the Office of Public Service to complete a full risk assessment across the whole of the public sector by mid1998, to identify bodies and key risk areas that should be targeted for action or intensive monitoring.

31. It is not possible to predict the full impact of the millennium threat within an organisation or through the supply chain. We are concerned, therefore, that only half of government departments and agencies have updated their business continuity plans to deal with the year 2000 and that those that exist vary in scope and detail. We look to the Office of Public Service to require all public bodies to have comprehensive, robust business continuity plans in place by January 1999.

32. We recognise that many of the systems and equipment that need to be replaced or modified were installed well before the scale of the Year 2000 issue became apparent. Nevertheless, we disappointed that the Office of Public Service has not given a stronger lead on the issue of supplier liability. We expect them to provide guidance and support to departments, agencies and the wider public sector to ensure that wherever possible suppliers that fail to meet their obligations meet the costs involved.

3 C&AG's report, (HC 724 of 1997-98), para 9 Back

4 Qs 7, 14 Back

5 Q7 Back

6 Qs 7, 14-15 Back

7 C&AG's report, (HC 724 of Session 1997-98), paras 1.8, 1.10, 1.15 Back

8 Qs 2, 59 Back

9 Q59 Back

10 Q69 Back

11 Qs 7, 51, 69-74 Back

12 C&AG's report (HC 724 of Session 1997-98), paras 1.32, 1.36 Back

13 Qs 21, 30, 97 Back

14 Qs 21, 50, 98-101 Back