2020 Census:

Additional Actions Needed to Manage Risk

GAO-19-399: Published: May 31, 2019. Publicly Released: May 31, 2019.

Additional Materials:

Contact:

Robert N. Goldenkoff
(202) 512-2757
goldenkoffr@gao.gov

 

Rebecca Shea
(202) 512-6722
shear@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Constitutionally-mandated U.S. Census provides vital information, including data for congressional redistricting. But we've found that the 2020 Census involves some risks.

The Census Bureau has identified hundreds of risks to the 2020 Census. For example, the Bureau's information systems face potential cyberattacks. The Bureau has mitigation and contingency plans for most of those risks.

We reviewed the Bureau's plans for 6 key risks and found they didn't consistently include key information needed to manage the risk. We made 7 recommendations including that the Bureau require these plans to include all necessary information.

 

A person carrying a U.S. Census Bureau tote bag with the front door of a house in the background.

A person carrying a U.S. Census Bureau tote bag with the front door of a house in the background.

Additional Materials:

Contact:

Robert N. Goldenkoff
(202) 512-2757
goldenkoffr@gao.gov

 

Rebecca Shea
(202) 512-6722
shear@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

As of December 2018, the Census Bureau (Bureau) had identified 360 active risks to the 2020 Census. Of these, 242 required a mitigation plan and 232 had one; 146 required a contingency plan and 102 had one (see table). Mitigation plans detail how an agency will reduce the likelihood of a risk event and its impacts, if it occurs. Contingency plans identify how an agency will reduce or recover from the impact of a risk after it has been realized. Bureau guidance states that these plans should be developed as soon as possible after a risk is added to the risk register, but it does not establish clear time frames for doing so. Consequently, some risks may go without required plans for extended periods.

2020 Census Risks with Required Mitigation and Contingency Plans

Plan

Risks requiring plan

Risks with plan

Mitigation

242

232 (96%)

Contingency

146

102 (70%)

Source: GAO analysis of U.S. Census Bureau 2020 Census risk registers as of December 2018. | GAO-19-399

GAO reviewed the mitigation and contingency plans in detail for six risks which the Bureau identified as among the major concerns that could affect the 2020 Census. These included cybersecurity incidents and integration of the 52 systems and 35 operations supporting the census. GAO found that the plans did not consistently include key information needed to manage the risk. For example, three of the mitigation plans and five of the contingency plans did not include all key activities. Among these was the Bureau's cybersecurity mitigation plan. During an August 2018 public meeting, the Bureau's Chief Information Officer discussed key strategies for mitigating cybersecurity risks to the census—such as reliance on other federal agencies to help resolve threats—not all of which were included in the mitigation plan.

GAO found that gaps stemmed from either requirements missing from the Bureau's decennial risk management plan, or that risk owners were not fulfilling all of their risk management responsibilities. Bureau officials said that risk owners are aware of these responsibilities but do not always fulfill them given competing demands. Bureau officials also said that they are managing risks to the census, even if not always reflected in their mitigation and contingency plans. However, if such actions are reflected in disparate documents or are not documented at all, then decision makers are left without an integrated and comprehensive picture of how the Bureau is managing risks to the census.

The Bureau has designed an approach for managing fraud risk to the 2020 Census that generally aligns with leading practices in the commit, assess, and design and implement components of GAO's Fraud Risk Framework. However, the Bureau has not yet determined the program's fraud risk tolerance or outlined plans for referring potential fraud to the Department of Commerce Office of Inspector General (OIG) to investigate. Bureau officials described plans to take these actions later this year, but not for updating the antifraud strategy. Updating this strategy to include the Bureau's fraud risk tolerance and OIG referral plan will help ensure the strategy is current, complete, and conforms to leading practices.

Why GAO Did This Study

With less than 1 year until Census Day, many risks remain. For example, the Bureau has had challenges developing critical information technology systems, and new innovations—such as the ability to respond via the internet—have raised questions about potential security and fraud risks. Fundamental to risk management is the development of risk mitigation and contingency plans to reduce the likelihood of risks and their impacts, should they occur.

GAO was asked to review the Bureau's management of risks to the 2020 Census. This report examines (1) what risks the Bureau has identified, (2) the risks for which the Bureau has mitigation and contingency plans, (3) the extent to which the plans included information needed to manage risk, and (4) the extent to which the Bureau's fraud risk approach aligns with leading practices in GAO's Fraud Risk Framework. GAO interviewed officials, assessed selected mitigation and contingency plans against key attributes, and assessed the Bureau's approach to managing fraud risk against GAO's Fraud Risk Framework.

What GAO Recommends

GAO is making seven recommendations, including that the Bureau set clear time frames for developing mitigation and contingency plans, require that mitigation and contingency plans include all key attributes, hold risk owners accountable for carrying out their risk management responsibilities, and update its antifraud strategy to include a fraud risk tolerance and OIG referral plan. The Department of Commerce agreed with GAO's recommendations.

For more information, contact Robert Goldenkoff at (202) 512-2757 or goldenkoffr@gao.gov or Rebecca Shea at (202) 512-6722 or shear@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau develops and obtains management approval of mitigation and contingency plans for all risks that require them. (Recommendation 1)

    Agency Affected: Department of Commerce

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's decennial risk management plan to include clear time frames for developing and obtaining management approval of mitigation and contingency plans. (Recommendation 2)

    Agency Affected: Department of Commerce

  3. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's decennial risk management plan to require that portfolio and program risk registers include a clear indication of the status of mitigation plans. (Recommendation 3)

    Agency Affected: Department of Commerce

  4. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's decennial risk management plan to require that risk mitigation and contingency plans, including the risk register descriptions and separate plans, have the seven key attributes for helping to ensure they contain the information needed to manage risk. (Recommendation 4)

    Agency Affected: Department of Commerce

  5. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau holds risk owners accountable for carrying out their risk management responsibilities. (Recommendation 5)

    Agency Affected: Department of Commerce

  6. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's antifraud strategy to include a fraud risk tolerance prior to beginning the 2020 Census and adjust as needed. (Recommendation 6)

    Agency Affected: Department of Commerce

  7. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's antifraud strategy to include the Bureau's plans for referring instances of potential fraud to the Department of Commerce Office of Inspector General for further investigation. (Recommendation 7)

    Agency Affected: Department of Commerce

 

Explore the full database of GAO's Open Recommendations »

Sep 9, 2019

Sep 4, 2019

Aug 1, 2019

Jul 26, 2019

Jul 24, 2019

Jul 23, 2019

Jul 19, 2019

Jul 18, 2019

Jul 16, 2019

Jul 2, 2019

Looking for more? Browse all our products here