What GAO Found
As of December 2018, the Census Bureau (Bureau) had identified 360 active risks to the 2020 Census. Of these, 242 required a mitigation plan and 232 had one; 146 required a contingency plan and 102 had one (see table). Mitigation plans detail how an agency will reduce the likelihood of a risk event and its impacts, if it occurs. Contingency plans identify how an agency will reduce or recover from the impact of a risk after it has been realized. Bureau guidance states that these plans should be developed as soon as possible after a risk is added to the risk register, but it does not establish clear time frames for doing so. Consequently, some risks may go without required plans for extended periods.
2020 Census Risks with Required Mitigation and Contingency Plans
Risks requiring plan
Risks with plan
Source: GAO analysis of U.S. Census Bureau 2020 Census risk registers as of December 2018. | GAO-19-399
GAO reviewed the mitigation and contingency plans in detail for six risks which the Bureau identified as among the major concerns that could affect the 2020 Census. These included cybersecurity incidents and integration of the 52 systems and 35 operations supporting the census. GAO found that the plans did not consistently include key information needed to manage the risk. For example, three of the mitigation plans and five of the contingency plans did not include all key activities. Among these was the Bureau’s cybersecurity mitigation plan. During an August 2018 public meeting, the Bureau’s Chief Information Officer discussed key strategies for mitigating cybersecurity risks to the census—such as reliance on other federal agencies to help resolve threats—not all of which were included in the mitigation plan.
GAO found that gaps stemmed from either requirements missing from the Bureau’s decennial risk management plan, or that risk owners were not fulfilling all of their risk management responsibilities. Bureau officials said that risk owners are aware of these responsibilities but do not always fulfill them given competing demands. Bureau officials also said that they are managing risks to the census, even if not always reflected in their mitigation and contingency plans. However, if such actions are reflected in disparate documents or are not documented at all, then decision makers are left without an integrated and comprehensive picture of how the Bureau is managing risks to the census.
The Bureau has designed an approach for managing fraud risk to the 2020 Census that generally aligns with leading practices in the commit, assess, and design and implement components of GAO’s Fraud Risk Framework. However, the Bureau has not yet determined the program’s fraud risk tolerance or outlined plans for referring potential fraud to the Department of Commerce Office of Inspector General (OIG) to investigate. Bureau officials described plans to take these actions later this year, but not for updating the antifraud strategy. Updating this strategy to include the Bureau’s fraud risk tolerance and OIG referral plan will help ensure the strategy is current, complete, and conforms to leading practices.
Why GAO Did This Study
With less than 1 year until Census Day, many risks remain. For example, the Bureau has had challenges developing critical information technology systems, and new innovations—such as the ability to respond via the internet—have raised questions about potential security and fraud risks. Fundamental to risk management is the development of risk mitigation and contingency plans to reduce the likelihood of risks and their impacts, should they occur.
GAO was asked to review the Bureau’s management of risks to the 2020 Census. This report examines (1) what risks the Bureau has identified, (2) the risks for which the Bureau has mitigation and contingency plans, (3) the extent to which the plans included information needed to manage risk, and (4) the extent to which the Bureau’s fraud risk approach aligns with leading practices in GAO’s Fraud Risk Framework. GAO interviewed officials, assessed selected mitigation and contingency plans against key attributes, and assessed the Bureau’s approach to managing fraud risk against GAO’s Fraud Risk Framework.
What GAO Recommends
GAO is making seven recommendations, including that the Bureau set clear time frames for developing mitigation and contingency plans, require that mitigation and contingency plans include all key attributes, hold risk owners accountable for carrying out their risk management responsibilities, and update its antifraud strategy to include a fraud risk tolerance and OIG referral plan. The Department of Commerce agreed with GAO’s recommendations.
For more information, contact Robert Goldenkoff at (202) 512-2757 or firstname.lastname@example.org or Rebecca Shea at (202) 512-6722 or email@example.com.