MANAGING THE MILLENNIUM THREAT
PROGRESS
MADE
IN
CENTRAL
GOVERNMENT
AND
THE
WIDER
PUBLIC
SECTOR
8. Although the responsibility for ensuring that
government business continues without disruption in the year 2000
rests with each government department and agency, at the centre
the Office of Public Service, through the Central Information
Technology Unit and the Central Computer Telecommunications Agency
have a monitoring, advisory and coordination role. Since
30 March 1998, this role has extended across the whole public
sector.[3]
9. The Committee asked the Office of Public Service
what accountability they had for ensuring that the problem was
tackled successfully. They told us that had to ensure that their
own internal systems and those of their agencies were year 2000
compliant. In addition, they were accountable for ensuring that
the Chancellor of the Duchy of Lancaster was properly advised,
and had problems in other departments drawn to his attention,
so that he could fulfil his responsibility for:
- monitoring the situation;
- drawing areas of concern to the attention of
particular ministers;
- putting urgency behind the system; and
- disclosing the situation to public scrutiny.[4]
10. They added that originally these responsibilities
covered central government, but in March 1998 had been extended
to the wider public sector. Although the potential control of
ministers collectively over the wider public sector was clearly
less direct, they hoped to progressively increase the level of
scrutiny and detail for at least the key areas.[5]
11. We asked what action the Office of Public Service
could take if serious problems emerged through the monitoring
process. They said that it would not be for them to instruct a
department to take remedial action. But if the Chancellor of the
Duchy was unhappy he would take it up with the relevant minister.[6]
12. The departmental progress reports published in
November 1997 and March 1998 were of variable content and format
and revealed slippage against completion targets.[7]
In the light of these reports, we asked the Office of Public Service
how confident they were that government business would be able
to continue without disruption in the year 2000. They told us
that these reports, and those in June 1998, showed slippage in
the expected completion dates with some cases getting uncomfortably
close to the year 2000, leaving no room for manoeuvre or error.
Slippage on business critical systems was not very serious, and
85 per cent of the returns predicted completion for business
critical systems by June 1999, which is about three months later
than previously forecast. There had been a little more slippage
on other systems, and 87 per cent of these were now predicted
for completion in September 1999. They took the view, however,
that this was not as bad as it seemed because bit by bit there
was increased coverage of the less critical systems.[8]
13. We asked about the risks of running right up
to the wire. The Office of Public Service pointed out that central
government was now about 30 per cent of the way through the actual
correction programme for business critical systems, and so were
getting more of a handle on what was going on. They told us, however,
that there were clearly some departments they were concerned about,
particularly those declaring completion dates in the second half
of 1999.[9]
14. The Committee asked the Office of Public Service
whether they had undertaken a comprehensive assessment of the
risks posed by a failure to achieve compliance in the wider public
sector, and what assurance they could give us that the wider public
sector could achieve compliance by year 2000. They told us they
had not yet undertaken such an assessment. The June 1998 return
was the first time they had attempted to put comprehensive information
together for the wider public sector and more work was needed
to finetune the analysis and ensure they had a comprehensive
picture.[10]
15. They pointed out that ministers had drawn the
year 2000 problem to the attention of all public bodies in May
1996 and that, although returns hitherto had been pretty sketchy,
this did not necessarily imply that actual progress was unsatisfactory.
They intended to increase the level of scrutiny, picking on certain
key sectors where the risk was greatest and ensuring their returns
were in similar detail to those being made for central government.[11]
16. The total cost of achieving year 2000 compliance
in central government departments and agencies was estimated in
November 1997 at £370 million. By March 1998 the estimate
had risen by 6 per cent to £393 million.[12]
The Office of Public Service told us that their latest estimate
was £402 million spread over at least two financial
years and probably three.[13]
17. We asked how confident the Office of Public Service
were about the accuracy of this figure. They admitted that they
would not be surprised if the estimate increased a little bit,
but it was unlikely to do so at the same rate as in the past,
if only because the proportion of work still undone was reducing
all the time.[14]
18. The Prime Minister said on 30 March 1998 that
estimates which put the total public sector cost at up to £3 billion
were reasonable.[15]
We asked the Office of Public Service how this figure had been
arrived at. They told us that the figure was not a forecast, but
one that had seemed reasonable to the Prime Minister. They added
that the £402 million estimate was for central government
including the armed forces. The figure for the NHS in England
was up to about £320 million, though they did not have
the figures for the NHS in Wales, Scotland or Northern Ireland.
And for local government, the Local Government Association had
put the cost at about £500 million. In total this added
up to something short of £1½ billion. In addition, there
were other areas of the wider public sector which they had mapped
rather less well so far, such as London Transport, the Post Office,
British Nuclear Fuels and the Civil Aviation Authority. Overall,
they concluded that there was ground for thinking at £3 billion
was probably in the right ball park.[16]
19. We asked the Office of Public Service how far
the Government's IT programme would be delayed by the diversion
of resources into combatting the millennium threat. They pointed
out that of the £2 billion the Government spends each
year on IT procurement and services, expenditure of £400 million
over two or three financial years on the millennium threat was
not hugely disproportionate. Tackling the threat had changed some
priorities within programmes, accelerating replacements in some
cases and postponing updates in others, but they had had no signs
that diversion of resources had become a major worry to the departments.[17]
20. We asked the Treasury if it was their policy
that year 2000 costs would be absorbed by Departments irrespective
of any difficulties this might cause. They told us that the Government's
current policy was that the costs should be met from within existing
plans. However, as much of the activity would be replacement of
hardware and software which may well have been a requirement in
any event, not all of the £3 billion would be an additional
call on resources. They were fairly confident that the Government
would not allow a situation to arise where compliance would not
be achieved because of financial constraints, and they assured
us they would react sensibly to cost increases brought to their
attention which could not be absorbed.[18]
21. Overall departments and agencies claim that they
have the necessary skilled resources available inhouse or
from existing suppliers of contracted out services. However, there
is a risk that as more detailed work is done, revealing the need
for additional staff, sufficient staff will not be available or
costs will rise as departments and agencies find they have to
pay premium rates. Already the Ministry of Defence had signalled
their concerns about emerging staff shortages.[19]
22. The Committee asked the Office of Public Service
whether they were confident that sufficient skilled staff would
be available. They told us that loss of skilled staff did not
appear to be a problem, possibly because civil service employment
tends to be a little less volatile than other areas. Many departments
had outsourced the provision of IT services and they did not see
serious signs of any failure of suppliers maintaining necessary
staffing levels. Others, for example the Scottish Office, were
seeking to retrain many people in these skills. So their assessment
was that while staffing continued to be a matter of concern it
had proved less of an issue than they had thought it might be.[20]
23. We asked whether the potential staffing difficulties
reported by the Ministry of Defence posed any threat to our defence
capability. The Office of Public Service said that the Ministry
of Defence were concerned about skill supply shortage, but the
general messages from them concerning strategic or operational
risks were reassuring.[21]
They were giving priority to those systems which were critical
to maintaining the operational effectiveness of the Armed Forces,
and were confident that all key operationally critical systems,
including those relating to strategic defences would be rectified
before problems were encountered.[22]
24. In view of the potential impacts of failures
in computer systems and electronic equipment, effective contingency
plans are essential. In his Report, the Comptroller and Auditor
General noted that Departments and agencies needed to bring their
business continuity plans up to date to deal with the impact of
failure of their own systems and those of third parties.[23]
We therefore asked Office of Public Service what action had been
taken to ensure all bodies had adequate business continuity plans
in place. They told us it was a standing arrangement that right
through government there were disaster plans to cover breakdowns,
such as a failure of electricity. They assured us that all departments
and agencies were engaged in bringing these plans up to scratch
with specific reference to the year 2000 problem. These plans
had to cope with problems in their own systems, with problems
in the systems of third parties with whom they had electronic
links, and with problems in nonIT suppliers including public
utilities. About half the departments and agencies had year 2000
adjusted contingency plans in place though they varied in scope
and detail.[24]
25. The Committee asked the Office of Public Service
if it was possible to recover remedial costs from suppliers. The
said that in their view it was wrong to imply that the Year 2000
issue was somebody's fault. A large part of what was being corrected
was a failure to take account of the year 2000 problem in systems,
some of which were installed a quarter of a century ago when people
did not expect their systems or particular software programmes
to last as long as that. [25]
26. They said that the Central Computer and Telecommunications
Agency had issued guidance in September 1996 that provided for
year 2000 compliance as a standard requirement on purchase of
all new IT systems. And the general question of supplier liability
was addressed in the six volume guidance the Central Computer
and Telecommunications Agency had published. They had not issued
a specific guidance letter on liability questions but it was a
matter they were looking into.[26]
They had undertaken some initial work on the question of legal
liabilities, but the priority was to tackle the problem first
and unless warranties had been given at that time, they thought
it unlikely that damages could be claimed in most cases.[27]
And it was for individual departments to tackle supplier liability,
depending on the terms of individual contract or procurement.[28]
Conclusions
27. Progress reports for central government already
show some slippage and some Departments do not now expect to complete
their work until the second half of 1999. As a result, we cannot
be sure that government business will not be disrupted in the
year 2000, and in some cases there is little room for manoeuvre
if things go wrong. The Office of Public Service need to direct
particular attention to those central government departments that
do not expect to complete their work until the second half of
1999.
28. We are concerned that the estimated cost to central
government bodies rose by 9 per cent between November 1997 and
June 1998. However we note the view of the Office of Public Services
that although costs may rise above the latest estimate of £402
million, they should not rise as rapidly as in the past.
29. We note the Office of Public Service's view that
the £400 million required by central government can
be found from within existing budgets, partly by rescheduling
replacement programmes, without any further impact on services.
And we are encouraged by the assurance from Treasury that if costs
cannot be absorbed by departments they would react sensibly. We
expect the Office of Public Services to draw the attention of
Treasury to any areas where resource constraints put timely completion
of the programme at risk.
30. We are disappointed that the first attempt to
monitor progress across the wider public sector was in June 1998,
some one and a half years after the programme began. This has
prevented the Office of Public Service from undertaking a comprehensive
risk assessment. In the absence of such an assessment, and in
view of the patchy returns received so far, we are concerned about
the readiness of the wider public sector to cope with the Year
2000 issue and about whether resources are being targeted on those
business critical systems most at risk. We expect the Office of
Public Service to complete a full risk assessment across the whole
of the public sector by mid1998, to identify bodies and
key risk areas that should be targeted for action or intensive
monitoring.
31. It is not possible to predict the full impact
of the millennium threat within an organisation or through the
supply chain. We are concerned, therefore, that only half of government
departments and agencies have updated their business continuity
plans to deal with the year 2000 and that those that exist vary
in scope and detail. We look to the Office of Public Service to
require all public bodies to have comprehensive, robust business
continuity plans in place by January 1999.
32. We recognise that many of the systems and equipment
that need to be replaced or modified were installed well before
the scale of the Year 2000 issue became apparent. Nevertheless,
we disappointed that the Office of Public Service has not given
a stronger lead on the issue of supplier liability. We expect
them to provide guidance and support to departments, agencies
and the wider public sector to ensure that wherever possible suppliers
that fail to meet their obligations meet the costs involved.
3 C&AG's report, (HC 724 of 1997-98), para 9 Back
4
Qs 7, 14 Back
5
Q7 Back
6
Qs 7, 14-15 Back
7
C&AG's report, (HC 724 of Session 1997-98), paras 1.8, 1.10,
1.15 Back
8
Qs 2, 59 Back
9
Q59 Back
10 Q69 Back
11
Qs 7, 51, 69-74 Back
12
C&AG's report (HC 724 of Session 1997-98), paras 1.32, 1.36 Back
13
Qs 21, 30, 97 Back
14
Qs 21, 50, 98-101 Back
15
C&AG's report, (HC 724 of Session 1997-98) , paras 5 and 1.32 Back
16
Qs 26-29, and 85-86; and Appendix 1, p18 Back
17
Qs 90-91 Back
18
Qs 87, 147 Back
19
C&AG's report, (HC 724 of Session 1997-98), para 10 Back
20
Qs 4-6, 48 Back
21
Qs 102-110 Back
22
Supplementary Memorandum from the Office of Public Service, Evidence,
Appendix 3, p19 Back
23
C&AG's report, (HC 724 of Session 1997-98, paras 6 and 1.29 Back
24
Q16 Back
25
Q31 Back
26
Qs 31-37, 80 Back
27
Qs 31-34 Back
28
Qs 75-76 Back
|