2020 Census:

Additional Actions Needed to Manage Risk

GAO-19-399: Published: May 31, 2019. Publicly Released: May 31, 2019.

Multimedia:

  • PODCAST: Watchdog Report: Deep Dig - The 2020 Census

    We're debuting a new edition of our podcasts called Watchdog Report: Deep Dig. We'll dig deeper into some of our bigger topics and issues. And you'll hear stories from the people behind GAO's work. The focus of this first episode is the 2020 Census.

    View the transcript

Additional Materials:

Contact:

Robert N. Goldenkoff
(202) 512-2757
goldenkoffr@gao.gov

 

Rebecca Shea
(202) 512-6722
shear@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Constitutionally-mandated U.S. Census provides vital information, including data for congressional redistricting. But we've found that the 2020 Census involves some risks.

The Census Bureau has identified hundreds of risks to the 2020 Census. For example, the Bureau's information systems face potential cyberattacks. The Bureau has mitigation and contingency plans for most of those risks.

We reviewed the Bureau's plans for 6 key risks and found they didn't consistently include key information needed to manage the risk. We made 7 recommendations including that the Bureau require these plans to include all necessary information.

 

A person carrying a U.S. Census Bureau tote bag with the front door of a house in the background.

A person carrying a U.S. Census Bureau tote bag with the front door of a house in the background.

Multimedia:

  • PODCAST: Watchdog Report: Deep Dig - The 2020 Census

    We're debuting a new edition of our podcasts called Watchdog Report: Deep Dig. We'll dig deeper into some of our bigger topics and issues. And you'll hear stories from the people behind GAO's work. The focus of this first episode is the 2020 Census.

    View the transcript

Additional Materials:

Contact:

Robert N. Goldenkoff
(202) 512-2757
goldenkoffr@gao.gov

 

Rebecca Shea
(202) 512-6722
shear@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

As of December 2018, the Census Bureau (Bureau) had identified 360 active risks to the 2020 Census. Of these, 242 required a mitigation plan and 232 had one; 146 required a contingency plan and 102 had one (see table). Mitigation plans detail how an agency will reduce the likelihood of a risk event and its impacts, if it occurs. Contingency plans identify how an agency will reduce or recover from the impact of a risk after it has been realized. Bureau guidance states that these plans should be developed as soon as possible after a risk is added to the risk register, but it does not establish clear time frames for doing so. Consequently, some risks may go without required plans for extended periods.

2020 Census Risks with Required Mitigation and Contingency Plans

Plan

Risks requiring plan

Risks with plan

Mitigation

242

232 (96%)

Contingency

146

102 (70%)

Source: GAO analysis of U.S. Census Bureau 2020 Census risk registers as of December 2018. | GAO-19-399

GAO reviewed the mitigation and contingency plans in detail for six risks which the Bureau identified as among the major concerns that could affect the 2020 Census. These included cybersecurity incidents and integration of the 52 systems and 35 operations supporting the census. GAO found that the plans did not consistently include key information needed to manage the risk. For example, three of the mitigation plans and five of the contingency plans did not include all key activities. Among these was the Bureau's cybersecurity mitigation plan. During an August 2018 public meeting, the Bureau's Chief Information Officer discussed key strategies for mitigating cybersecurity risks to the census—such as reliance on other federal agencies to help resolve threats—not all of which were included in the mitigation plan.

GAO found that gaps stemmed from either requirements missing from the Bureau's decennial risk management plan, or that risk owners were not fulfilling all of their risk management responsibilities. Bureau officials said that risk owners are aware of these responsibilities but do not always fulfill them given competing demands. Bureau officials also said that they are managing risks to the census, even if not always reflected in their mitigation and contingency plans. However, if such actions are reflected in disparate documents or are not documented at all, then decision makers are left without an integrated and comprehensive picture of how the Bureau is managing risks to the census.

The Bureau has designed an approach for managing fraud risk to the 2020 Census that generally aligns with leading practices in the commit, assess, and design and implement components of GAO's Fraud Risk Framework. However, the Bureau has not yet determined the program's fraud risk tolerance or outlined plans for referring potential fraud to the Department of Commerce Office of Inspector General (OIG) to investigate. Bureau officials described plans to take these actions later this year, but not for updating the antifraud strategy. Updating this strategy to include the Bureau's fraud risk tolerance and OIG referral plan will help ensure the strategy is current, complete, and conforms to leading practices.

Why GAO Did This Study

With less than 1 year until Census Day, many risks remain. For example, the Bureau has had challenges developing critical information technology systems, and new innovations—such as the ability to respond via the internet—have raised questions about potential security and fraud risks. Fundamental to risk management is the development of risk mitigation and contingency plans to reduce the likelihood of risks and their impacts, should they occur.

GAO was asked to review the Bureau's management of risks to the 2020 Census. This report examines (1) what risks the Bureau has identified, (2) the risks for which the Bureau has mitigation and contingency plans, (3) the extent to which the plans included information needed to manage risk, and (4) the extent to which the Bureau's fraud risk approach aligns with leading practices in GAO's Fraud Risk Framework. GAO interviewed officials, assessed selected mitigation and contingency plans against key attributes, and assessed the Bureau's approach to managing fraud risk against GAO's Fraud Risk Framework.

What GAO Recommends

GAO is making seven recommendations, including that the Bureau set clear time frames for developing mitigation and contingency plans, require that mitigation and contingency plans include all key attributes, hold risk owners accountable for carrying out their risk management responsibilities, and update its antifraud strategy to include a fraud risk tolerance and OIG referral plan. The Department of Commerce agreed with GAO's recommendations.

For more information, contact Robert Goldenkoff at (202) 512-2757 or goldenkoffr@gao.gov or Rebecca Shea at (202) 512-6722 or shear@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Priority recommendation

    Comments: As of May 2020, the Bureau's program risk registers included a clear indication of the status of mitigation plans; however, the Bureau's portfolio risk register did not, without which there was not a clear indication of which portfolio risk mitigation plans had been approved by management. As of August 2020, the Bureau's portfolio risk register also included a clear indication of mitigation plan status. At that time, we reviewed the Bureau's program and portfolio risk registers to determine whether the Bureau had developed and obtained management approval of mitigation and contingency plans for all risks that required them. We found six risks that met the Bureau's requirements for a contingency plan but did not have an approved contingency plan in place. We notified the Bureau and asked them to ensure that approved mitigation and contingency plans were in place for all risks that required them. We will continue to monitor the Bureau's actions to implement this recommendation.

    Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau develops and obtains management approval of mitigation and contingency plans for all risks that require them. (Recommendation 1)

    Agency Affected: Department of Commerce

  2. Status: Closed - Implemented

    Comments: In May 2019, we found that the Census Bureau (Bureau) did not have mitigation and contingency plans for all risks that required them. Some of these risks had been added to the Bureau's risk registers in recent months, but others had been added months and years earlier. The Bureau's decennial risk management plan stated that mitigation and contingency plans should be developed and presented to management for approval as soon as possible after risks requiring such plans were added to the risk registers, but it did not include clear time frames for doing so. Therefore, we recommended that the Bureau update its decennial risk management plan to include clear time frames for mitigation and contingency plan development and approval. In March 2020, the Bureau updated its decennial risk management plan and, in doing so, included clear time frames for mitigation and contingency plan development and approval, ranging from within one to two months of a risk's addition to the risk register, with differences dependent on characteristics such as the risk level (program or portfolio) and plan type (mitigation or contingency).

    Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's decennial risk management plan to include clear time frames for developing and obtaining management approval of mitigation and contingency plans. (Recommendation 2)

    Agency Affected: Department of Commerce

  3. Status: Closed - Implemented

    Comments: In May 2019, we found that the Census Bureau's (Bureau) decennial risk management plan required a clear indication of the status of contingency but not mitigation plans in its program and portfolio risk registers. Without a clear indication of the status of mitigation plans in the risk registers, we were unable to determine how many of those plans had been approved by management or were still in draft. Therefore, we recommended that the Bureau update its decennial risk management plan to require that both portfolio and program risk registers include a clear indication of the status of mitigation plans. In March 2020, the Bureau updated its decennial risk management plan and, in doing so, required that program but not portfolio risk registers include a clear indication of the status of mitigation plans. In July 2020, the Bureau updated its decennial risk management again and, in doing so, required that portfolio risk registers also include a clear indication of the status of mitigation plans.

    Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's decennial risk management plan to require that portfolio and program risk registers include a clear indication of the status of mitigation plans. (Recommendation 3)

    Agency Affected: Department of Commerce

  4. Status: Open

    Comments: In July 2020, the Bureau updated its decennial risk management plan and, in doing so, implemented this recommendation for six of the seven key attributes we identified. The missing attribute was monitoring plans: a description in each mitigation and contingency plan of how the agency will monitor the risk response-with performance measures and milestones, where appropriate-to help track whether the plan is working as intended. According to Bureau officials, rather than requiring this attribute, they instead noted it as a lesson learned for the 2030 Census and documented it in their knowledge management tool. In August 2020, we requested documentation of these actions. Once received, we will assess whether these actions suffice to close the recommendation.

    Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's decennial risk management plan to require that risk mitigation and contingency plans, including the risk register descriptions and separate plans, have the seven key attributes for helping to ensure they contain the information needed to manage risk. (Recommendation 4)

    Agency Affected: Department of Commerce

  5. Status: Closed - Implemented

    Comments: In May 2019, we found that the mitigation and contingency plans for six risks which the Census Bureau (Bureau) identified as among the major concerns that could affect the 2020 Census did not consistently include key information needed to manage the risk. We further found that some gaps stemmed from risk owners not fulfilling their risk management responsibilities, such as keeping plans up to date. Therefore, we recommended that the Bureau hold risk owners accountable for carrying out their risk management responsibilities. Following our recommendation, the Bureau took a number of steps to implement it. For example, as of August 2019, the Bureau had instituted new measures for monitoring risk status, including three different monthly reports alerting risk owners and others to, among other things, outstanding actions requiring completion. In November 2019, the Bureau implemented new training sessions for all risk owners detailing the steps they must take to manage their risks, in order to ensure full knowledge of risk management responsibilities. As of December 2019, the Bureau had increased the number of full-time staff dedicated to risk management oversight from two to five, to facilitate more frequent communication with risk owners regarding needed actions. These steps, coupled with measures already in place (such as semiannual reviews of portfolio-level risks by top-level management and the inclusion of risk management compliance as a factor in risk owner performance evaluations) should help ensure that risk owners are held accountable for carrying out their risk management responsibilities.

    Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau holds risk owners accountable for carrying out their risk management responsibilities. (Recommendation 5)

    Agency Affected: Department of Commerce

  6. Status: Closed - Implemented

    Comments: On October 22, 2019, the Bureau provided us with documentation from its updated antifraud strategy that included a fraud risk tolerance. By providing this update, the Bureau has addressed our recommendation.

    Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's antifraud strategy to include a fraud risk tolerance prior to beginning the 2020 Census and adjust as needed. (Recommendation 6)

    Agency Affected: Department of Commerce

  7. Status: Closed - Implemented

    Comments: On March 2, 2020, the Bureau provided us with documentation from its plan that outlines how to refer potential fraud to the Department of Commerce OIG to investigate. By providing this update, the Bureau has addressed our recommendation.

    Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's antifraud strategy to include the Bureau's plans for referring instances of potential fraud to the Department of Commerce Office of Inspector General for further investigation. (Recommendation 7)

    Agency Affected: Department of Commerce

 

Explore the full database of GAO's Open Recommendations »

Sep 25, 2020

Sep 23, 2020

Sep 10, 2020

Sep 8, 2020

Aug 31, 2020

Aug 27, 2020

Aug 19, 2020

Jul 9, 2020

Jul 1, 2020

Looking for more? Browse all our products here