COMMITTEE of PUBLIC ACCOUNTS debate -
Thursday, 9 Dec 1999

The committee will be familiar with the origins of the year 2000 problem or the millennium bug as it is sometimes colloquially referred to. It stems from using a two digit descriptor for a year rather than the full four digits and a time when the capacity of the processors which drive our computers was only a tiny fraction of what it is today. Issues such as memory space were very important and short cuts were taken. Over the years the use of two digits became a programming convention. It was only in the early 1990s that there was a general recognition that this could cause a major problem in the year 2000. Newly written progammes and embedded software since the mid-1990s have incorporated a four digit year descriptor or something similar to allow them recognise the year 2000 but there remained a huge bank of programmes and systems written in the old way which could result in the year 2000 being interpreted by computers as the year 1900 with all the attendant consequences of programme malfunction and system crashes. The pervasive impact of computers on all aspects of modern day life suggested that if remedial action was not taken chaos would result.

Because of the dependence of the apparatus of State services on computers I decided in 1998 to examine the measures key Departments and agencies of the State were taking by way of remedial work to ensure their systems were year 2000 compliant. The examination focused on whether the planning and management of the compliance projects were carried out in the most efficient and cost effective way and whether the projects were likely to be effective and completed in good time before the end of this year. It also highlighted the general value for money principles associated with undertaking major information systems projects.

The Departments and agencies concerned came out of the examination pretty well. All six examined had sound strategies and projects in place which involved either recoding the programmes or replacing the systems with compliant new systems. Some Departments experienced delays in getting their projects up and running due to a shortage of skilled staff. This led to an increase in the use of outside help in some cases, which increased the cost of the work. It is hard to put a figure on the cost of ensuring year 2000 compliance across the Civil Service because, in many cases, staff were diverted from normal IT development work to work on the projects. Because of this there has been an unquantifiable opportunity cost. A sum of £12.8 million was provided in Departments and offices in 1998 and 1999 to address the problem. Moreover, a £40 million contingency fund is also available to deal with problems that may arise with embedded technologies in systems and equipment in the public sector.

Apart from the gripe about the lack of information on the costs of year 2000 compliance, strictly from a value for money point of view many organisations could have used the opportunity to build improved functionality into their systems. I accept absolutely that there would be a risk involved in going down this road, but it could have been minimised if the requisite planning and analysis was undertaken in good time.

At the time of the examination, which was about a year ago, I had a concern about the pace of progress in testing the rewritten systems and the degree of contingency planning. However, on the basis of information available to me currently, it appears that most, possibly all, Departments and offices have completed their testing successfully and have contingency plans in place at the moment.

The examination also looked at how three Departments oversaw arrangements for year 2000 compliance in the bodies under their aegis. I am referring here to bodies such as health boards and vocational education committees. In the initial stages, there seemed to be some delay in coming to grips with the problem in those areas. However, by the end of 1998 there was an improvement, certainly in the system of progress reporting.

For the moment it looks as if we are well positioned for the new millennium in terms of the readiness of our computer systems, but we should keep our fingers crossed and hope that we will be able to say the same thing in a month's time because clearly in this case there can be no real guarantees.

Thank you for the opportunity to make a few introductory comments. We genuinely found this a very useful report. It provided us with the opportunity to highlight the importance of this problem and to show the priority that is being given to this problem by the Government. The fact that the report came when it did, February of this year, helped us to focus people's attention all the more on issues that had to be addressed. Overall, the exercise was very beneficial.

The report focuses on a number of aspects that might be improved upon. We accept this. However, overall, the report comes down on the side that the specific strategies adopted were appropriate and that the projects examined were proceeding according to plan.

I can update the committee on the state of play across the entire Civil Service. The Government adopted a three-strand approach. The first was to ensure that existing difficulties in Departments and offices, outlined by the Comptroller and Auditor General, were remedied. The next thing was to ensure that contingency plans were in place. All these operations were monitored by a Y2K co-ordinating committee which we chaired in the Department of Finance and which included people from the private sector, the business sector, who were experts in computerisation. That was an extraordinarily useful input. In recent months the Government decided to put in place a further committee to deal with contingency preparations for the key utilities, looking at the interactions between the utilities, for example, electricity with telecommunications and so on, to make sure those interactions will take place on the night and that if there is a difficulty there will be a protocol there for that. In addition, the committee, which was chaired by the Minister for Finance, also looked at the national emergency plan to ensure that it will stand up.

There were three processes. The process for which we were responsible in the Department was to monitor what was happening in Departments and offices in the Civil Service. There is a wider process in terms of the utilities in the wider public service. Essentially, the structure we put in place was to make sure responsibility and accountability was imposed on those organisations themselves and that they would report directly to Government. That has operated well. The Chairman has referred to the fact that initially it was not operating well. In a number of cases, with the help of the report, this has now been cleared up. Then there is this new committee.

In terms of compliance, all Departments and offices at this time have completed their Y2K compliance programmes. These involve all the key business processes in Departments and offices.

In relation to the public sector, although it is not an area for which we are responsible because it reports directly to Government, in preparation for coming to this committee we pulled together some information about what was happening around the public service. We can say that, with a few minor exceptions, all the key utilities - electricity, telecommunications, gas, public transport, water, sewerage, traffic management - have completed their compliance programmes. There are a couple of exceptions in the case of health, but they are expected to be finished next week, and they are not critical projects. There are a few exceptions in education in the case of a couple of vocational education committees but that is only because they did not get signed off due to an industrial relations dispute. Our understanding is that the work has been done, and they will be reporting to Government on that next week. The security services also have been completed, the Garda Síochána and the Defence Forces.

In so far as the public service has been able to do this - it was an enormous project involving thousands of systems, hardware and software projects - no stone has been left unturned here in terms of the key processes.

In regard to contingency planning, we set a deadline for mid-1999 in terms of fall-back contingency arrangements. All Departments and offices have completed these contingency arrangements. They have all been independently assessed and signed off by the accounting officers. In relation to the Civil Service, Departments and offices, all has been done. In regard to the public sector, we have been informed that business continuity plans for the key practices are in place and that the national emergency planning arrangements have been looked at as well.

In terms of the final committee I mentioned, chaired by the Minister for Finance, the purpose of that was the ensure that the national utilities communicated with each other to ensure that if a problem arose in a particular utility there would be quick communication on the night in question and on subsequent days. That has been done through this committee which was chaired by the Minister. The Minister has also asked the Department of the Environment and Local Government, which is responsible for national emergency planning, to look at that national emergency plan and ensure it is up to scratch and that there are contingency arrangements in place. That has been done.

In a recent decision the Government decided that around the end of the year and the beginning of the new year an event information centre will be put in place in Government Buildings. This centre will not accept calls from the public. Essentially it is about ensuring that some of the problems in terms of utilities speaking to each other are faced up to if there is a problem at the time. It will also help us to look at countries which will face this problem earlier than us. We will be looking across the world, provided the Internet and various things are there, to see in which utilities particular problems arise, and we will communicate that to our own utilities. The public will be able to get information from the various utilities which will advertise contact points in relation to that. The purpose of the event centre is to ensure that utilities will be able to get in touch with each other if there are problems. If they cannot, the event centre will smooth the way.

That, essentially, is what has happened in relation to the preparations. As the Comptroller and Auditor General said about the best laid plans, this is a very complex situation. Nobody can put their hand on their heart and say everything will be okay but in so far as we have been able to do things, we have done them. We cannot rule out the possibility that some problems will arise, but all the organisations I have mentioned have informed us that contingency plans are in place to try to ensure that difficulty with the services would be minimised.

In all this work we would really be talking about the fatal and critical systems. There will be some marginal systems which are not high priority in business terms. Some problems could arise with those but we are informed they should not seriously impact on the public. Overall, therefore, we have done as much as we are able to do at this stage, and the report was extremely useful in that regard.

What I said was that we have been informed that all the key critical business systems have been adjusted and tested. I cannot say absolutely that there will not be a problem but in terms of going through the protocols set out, those protocols have been followed through. I am relying on information we are getting from the wider public service because it reports directly to Government, but the information I have is that that is the position.

There are two parts to the answer to that question. Taking the Civil Service and Departments first, the overall cost of the ongoing information technology arrangements in the current budget is about £150 million. Within those budgets every year we would replace and update equipment - it has nothing to do with the Y2K problem. In leading up to the Y2K problem, however, we have taken the opportunity, when replacing those systems, to make sure they are Y2K compliant. I am not separating that cost. Cost is part of the ongoing budget because it was going to be done anyway. In relation to the additional cost over and above those budgets, we sought estimates from the Departments and the estimate was about £13 million to do additional work which would not have been encompassed within those budgets. There was another cost on top of that which has to do with a loyalty bonus being paid to IT staff, and that could cost about £17.5 million. The loyalty bonus was paid to staff because, as the Comptroller has said, there was a period when we were losing quite a number of staff. They were getting substantial offers from the private sector which had its own problems in relation to Y2K. We had some highly trained and skilled staff and we lost a number of staff so we had to take remedial action. The Government approved a package in relation to loyalty bonuses which will be paid next year when this problem is resolved. We are talking about in the order of £20 million overall, in addition to the existing budgets. That is the position in so far as the Civil Service is concerned.

In the wider public service, the same process is followed there but an additional contingency sum of £40 million has been provided, as the Comptroller has mentioned, in relation to the additional cost of that. The bulk of that estimate was for the health service and much of it was made at a time when we were not sure just how many of the embedded systems across the health system would need to be adjusted. The latest information we have - we will not know this until the end of the year - is that about half of that sum, or a little more than half, might be used but I cannot be definitive about that. I would have to come back to the committee on that. In terms of the overall cost, looking at what is happening in other countries, the approximate cost of Y2K is between 15% and 20% of budgets. We reckon that our current costs would be between 10% and 15%.

If the use of two digits was the norm in the 1990s, why was there not a gradual switch over to the four digit system in anticipation of the year 2000 problem? The monitoring committee to deal with this problem was only set up in September 1997. Could this problem not have been anticipated and a gradual switch over to the four digit system started from the early 1990s?

That is a fair question. While we issued our advice note, and this is referred to by the Comptroller in the report, at the beginning of 1997, much work was going on in 1996 in terms of the technical questions. All the Departments were being pulled together. We issued instructions in terms of new procurement clauses for contracts and so on. The real issue we faced was that the vendors were not in a position earlier than that to tell us what equipment would be year 2000 compliant and we were not, therefore, in a position to advise organisations or Departments earlier than that. This was a major problem for the vendors also and it was quite late before they were in a position, technically, to answer the questions which needed to be answered. From the time they were able to answer the questions, the changeover was being made. When I referred earlier to the £150 million and anticipating problems, that is exactly what I meant. From the time we knew that the vendors could handle this, we were making the changes in the system.

Sorry, could I just say something? I should perhaps outline a bit of history for the Deputy. We were aware of this problem from the late 1980s, particularly with regard to so-called legacies which were developed in third generation language called Cobol - I am sure the Deputy has heard about it. All the systems developed in the late 1960s, 1970s and early 1980s, right up to the late 1980s, would have been developed using Cobol. In 1990 we issued guidelines on what we call corporate information management in which we recommended to all Departments that they should use full dates for years, four digits, and not use the abbreviated version because storage and memory was no longer a problem, as it had been earlier.

Moving on a few years, the debate about year 2000 and the need to remedy year 2000 systems to manage the changeover in dates at the end of the millennium commenced in the Civil Service in 1995, but as John Hurley has just said, we were in a position where much of the hardware and software we needed to render systems Y2K compliant was not available to us. Vendors had not produced the necessary hardware and software. Much of the planning, particularly for the older systems, the so-called legacy systems, actually commenced in 1996. We issued a procurement clause in the autumn of 1996 to reinforce the earlier 1990 report telling all Departments and agencies to include a Y2K compliant clause in the procurement RFT. Subsequently, as the Comptroller indicated in his report, we issued a circular to Departments in March 1997 at a time when we knew that vendors were making available the necessary hardware and software that would be needed in the bulk of cases to render the system Y2K compliant. We started the process as early as - perhaps earlier in many cases - the countries that took the lead in this area and in all countries the real effort in rendering systems Y2K compliant started in the 1996-97 period.

Why was the monitoring committee set up in September 1997? Page 12 of the report states that a key point is that delays in obtaining the necessary resources have increased the cost of the project. The increased costs of the project is our main concern as we are a value for money committee. Whose fault was it that you did not obtain the necessary resources, which resulted in an increased cost for the projects?

The cost of the project, if you look at the figures I mentioned, compare very well internationally. When we issued the advice notice in 1997 we set targets that people should try to meet. We knew they were targets but it was necessary to focus people's attention on the fact that this was an urgent problem. We knew the targets were difficult for them.

As a result of that and of the survey that was carried out following the issue of the advice notice, we advised the Government that a monitoring structure should be put in place to ensure that people reported to the Government at regular intervals, to ensure they took this problem seriously and that the Government could take initiatives if it saw particular aspects not being fulfilled. It was a discipline we believed ought to be put in place. If you look at the Comptroller and Auditor General's report, it is one of the lessons he suggests comes out of the report that the monitoring arrangements, the involvement of senior staff and the type of arrangements put in place are important for future projects.

I would argue that it was a development of the project management process that was put in place at that time and it worked well. One could say that the organisations that monitor the Y2K issue internationally have regarded that process and the way we have done things as one of the best models to be followed.

The only additional cost that was a problem for us and which we had to think about was the fact that we were losing these IT staff to the private sector and we had to take remedial action. That was something outside our control. In that situation we did have to put through a loyalty bonus scheme to retain our people. They were being offered significant packages by the private sector and that, undoubtedly, was a problem, posed risks and had to be dealt with. We put together a package of measures in relation to that. We discussed it with the unions and they were very helpful in this regard. The measures we put in place stopped that haemorrhage and enabled us to keep the project on track.

I can confirm everything Mr. Hurley said. There is an illustration of the point on page 12. In the Department of Agriculture, Food and Rural Development there was an acute shortage of computer staff. It had a proposal to change the cattle testing system, a huge system they had written some years earlier. However, because the Department could not get the staff to write this new system to ensure it would be in place for 2000, it had to spend £800,000 getting the software house to make the existing system Y2K compliant. In a sense that was wasted money or avoidable expenditure. It is just an example of the problem. It is the extreme case and we did not come across too many extreme cases. To an extent, it was more associated with historical problems with the staffing of the computer unit in the Department of Agriculture, Food and Rural Development.

It is a useful exercise and I am glad to hear Mr. Hurley welcome it. It indicates the benefits of the Comptroller and Auditor General's office and how it can tie Departments together. If it had been left to individual Departments, despite having a central monitoring group, people would not have been as anxious, as it were, to comply on time.

You indicated there are many fingers crossed and much guessing and hoping against hope that everything has been done correctly. Is that a fair assessment?

In the same way as they are crossed in other countries. This is unknown territory but in so far as the systems can be made compliant, that has been done. However, it is true that people cannot guarantee that there will not be some disruption. The key is that we have tried to put in place contingency measures to minimise that. The event centre I just mentioned should help to exchange information quickly across utilities to try to minimise it as well. That is all I can say. We cannot be certain in this area.

I do not think that was the reason. The reason was that we were trying to ensure that if people put in answers, they were the right answers. There was a fear that they might buy a package system and get some guarantees or commitments from the vendor and yet it still might turn out not to be Y2K compliant on the day. That would have been a lot of misspent money.

That period was very important to ensure we had solutions that were likely to work. That was the main concern at the time. Certainly, back in 1995 we were all concerned about this problem because every system was involved. It is an enormous project. One cannot think of another project as big. Many structures and much work had to be put in place. I would say that was the reason.

There are significant benefits. I refer back to the Comptroller and Auditor General's report. There are project management benefits. There are points made in the report that are useful and are taken on board. We are in the information age and this exercise helps us enormously to take another leap forward. People simply had to take this problem seriously and it brought many of them up to speed in terms of what is around the corner for us with regard to technology.

There was a significant benefit. In some cases we were able to improve functionality whereas, as the Comptroller and Auditor General correctly points out, there is a risk that if one goes too far down the road of improving functionality, one ends up with a different deadline and it might not be 31 December. We had to be careful about that. A balance had to be struck. Overall, it was a useful exercise.

If there is a major criticism in the report, it is directed at the efforts to achieve compliance, the lateness and the effort involved. In the middle of this programme it was pointed out that largescale projects "are only now approaching or entering the testing stage". This along with contingency planning for failures were the main criticisms.

I accept that point. We were working hard to ensure the systems were compliant in the first place. If the system is compliant, it is a considerable help in dealing with contingency planning. Once the systems were compliant from the beginning of this year, the focus shifted to contingency planning. We were pretty sure at that stage that we would meet the compliance requirements.

Contingency planning is a different process. It does not involve technology; in many cases, it deals with alternative processes to be put in place if the technology collapses. We were sure we would be able to get those in place provided we were confident the technology was compliant. That is the way we approached it and it has worked out with all the qualifications that inevitably must be there.

The Department of Social, Community and Family Affairs has a strong IT function and IT unit. However, it was in danger of losing staff and it was one of the Departments pressing strongly that we should make alternative arrangements. Revenue was in a similar position. We pulled all the heads of Departments together and posed the question, what has to be done to deal with this. In fairness, they were losing staff.

Places outside the Civil Service, in some of the State-sponsored bodies areas have a little more flexibility in terms of what they can pay. We sometimes have to take a slightly different approach. Otherwise there would be an enormous burden on the Exchequer. There are different freedoms if one is in the private sector or in the commercial area and sometimes the non-commercial State-sponsored body area. I am not criticising that at all. I am simply saying that I would be answering a different question here in terms of value for money if I paid some of those sums.

Deputy McCormack is correct in saying that it is unfair of us at times. Our job is to try to pick holes in value for money reports by asking why certain things were not done. Often it is for historical reasons but there are three lessons for the future. They are talking about having a pool from which to recruit staff, but hopefully the comment which will jump out at us next year when we reconsider the matter is that because projects started late, there was some trade off with economy and efficiency.

That is fair up to a point. If one takes any country in the world, they said to organisations that within their existing budgets they had to determine priorities and this was a key priority. One had to focus on this and, as a consequence, there will be certain other marginal things that may be put off or deferred. To that extent, I understand exactly the point the Comptroller and Auditor General made. However, we would feel that the things that would be put off or deferred would not be key, critical things. The important work would still have been prioritised within the budgets. This was the approach the Government took. It decided that this was an absolute key priority. I take the point that there are elements thereof efficiency in the longer term, but it is verydifficult to get that right when one's primary concern is to make sure that the systems do not go down.

There are always dangers involving people who might abuse technology. However, we have tried with the security systems in technology to minimise that. The other problem which might arise is that it is possible that we will have some disruption that we cannot foresee in relation to Y2K, but there could be IT disruption for other reasons which have nothing to do with Y2K. People could say that they are all related to Y2K, but it might have nothing to do with it. A recent example of that was the Eircom situation. It had nothing to do with Y2K. It involved a software difficulty and the flooding of an exchange. I imagine we will have those problems at the beginning of the year.

The Deputy's previous question about hackers is very valid. We are very concerned and we are expecting that hackers all over the world will bring in millennium viruses. We have issued a note to all Departments to take extra precautions and to make sure that virus detection software is in place, particularly with regard to downloading messages that come through the Internet system.

Regarding the Deputy's second question about security, a great deal of attention has been paid to security arrangements not just in relation to computer systems but also in relation to millennium celebrations. A sub-committee is looking after that. In addition, the committee that is chaired by the Minister for Finance has paid particular attention to the emergency management arrangements in place by the emergency services for the millennium period.

The Eircom outage that was mentioned by Mr. Hurley served as a useful wake up call. It had nothing to do with Y2K but it served as a very useful wake up call. The Minister took the opportunity to invite Eircom in to talk to him about the problem and the extra precautions they were going to take to be able to respond more quickly in the event of something happening over the millennium. I am glad Eircom responded very positively. It indicated that it will have increased coverage by way of technicians and staff on call in the event that any exchange in the country goes down. It was a very useful wake up call. It came at a time when it was useful for us to remind people that things can happen and they need to have their contingency plans in place.

Is it agreed to note the programme? Agreed. The committee will adjourn now until 11 a.m. next Tuesday. I thank the witnesses.

The witnesses withdrew.