2020 Census: Additional Actions Needed to Manage Risk
Fast Facts
The Constitutionally-mandated U.S. Census provides vital information, including data for congressional redistricting. But we've found that the 2020 Census involves some risks.
The Census Bureau has identified hundreds of risks to the 2020 Census. For example, the Bureau's information systems face potential cyberattacks. The Bureau has mitigation and contingency plans for most of those risks.
We reviewed the Bureau's plans for 6 key risks and found they didn't consistently include key information needed to manage the risk. We made 7 recommendations including that the Bureau require these plans to include all necessary information.
A person carrying a U.S. Census Bureau tote bag with the front door of a house in the background.
Highlights
What GAO Found
As of December 2018, the Census Bureau (Bureau) had identified 360 active risks to the 2020 Census. Of these, 242 required a mitigation plan and 232 had one; 146 required a contingency plan and 102 had one (see table). Mitigation plans detail how an agency will reduce the likelihood of a risk event and its impacts, if it occurs. Contingency plans identify how an agency will reduce or recover from the impact of a risk after it has been realized. Bureau guidance states that these plans should be developed as soon as possible after a risk is added to the risk register, but it does not establish clear time frames for doing so. Consequently, some risks may go without required plans for extended periods.
2020 Census Risks with Required Mitigation and Contingency Plans
Plan |
Risks requiring plan |
Risks with plan |
Mitigation |
242 |
232 (96%) |
Contingency |
146 |
102 (70%) |
Source: GAO analysis of U.S. Census Bureau 2020 Census risk registers as of December 2018. | GAO-19-399
GAO reviewed the mitigation and contingency plans in detail for six risks which the Bureau identified as among the major concerns that could affect the 2020 Census. These included cybersecurity incidents and integration of the 52 systems and 35 operations supporting the census. GAO found that the plans did not consistently include key information needed to manage the risk. For example, three of the mitigation plans and five of the contingency plans did not include all key activities. Among these was the Bureau's cybersecurity mitigation plan. During an August 2018 public meeting, the Bureau's Chief Information Officer discussed key strategies for mitigating cybersecurity risks to the census—such as reliance on other federal agencies to help resolve threats—not all of which were included in the mitigation plan.
GAO found that gaps stemmed from either requirements missing from the Bureau's decennial risk management plan, or that risk owners were not fulfilling all of their risk management responsibilities. Bureau officials said that risk owners are aware of these responsibilities but do not always fulfill them given competing demands. Bureau officials also said that they are managing risks to the census, even if not always reflected in their mitigation and contingency plans. However, if such actions are reflected in disparate documents or are not documented at all, then decision makers are left without an integrated and comprehensive picture of how the Bureau is managing risks to the census.
The Bureau has designed an approach for managing fraud risk to the 2020 Census that generally aligns with leading practices in the commit, assess, and design and implement components of GAO's Fraud Risk Framework. However, the Bureau has not yet determined the program's fraud risk tolerance or outlined plans for referring potential fraud to the Department of Commerce Office of Inspector General (OIG) to investigate. Bureau officials described plans to take these actions later this year, but not for updating the antifraud strategy. Updating this strategy to include the Bureau's fraud risk tolerance and OIG referral plan will help ensure the strategy is current, complete, and conforms to leading practices.
Why GAO Did This Study
With less than 1 year until Census Day, many risks remain. For example, the Bureau has had challenges developing critical information technology systems, and new innovations—such as the ability to respond via the internet—have raised questions about potential security and fraud risks. Fundamental to risk management is the development of risk mitigation and contingency plans to reduce the likelihood of risks and their impacts, should they occur.
GAO was asked to review the Bureau's management of risks to the 2020 Census. This report examines (1) what risks the Bureau has identified, (2) the risks for which the Bureau has mitigation and contingency plans, (3) the extent to which the plans included information needed to manage risk, and (4) the extent to which the Bureau's fraud risk approach aligns with leading practices in GAO's Fraud Risk Framework. GAO interviewed officials, assessed selected mitigation and contingency plans against key attributes, and assessed the Bureau's approach to managing fraud risk against GAO's Fraud Risk Framework.
Recommendations
GAO is making seven recommendations, including that the Bureau set clear time frames for developing mitigation and contingency plans, require that mitigation and contingency plans include all key attributes, hold risk owners accountable for carrying out their risk management responsibilities, and update its antifraud strategy to include a fraud risk tolerance and OIG referral plan. The Department of Commerce agreed with GAO's recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Commerce |
Priority Rec.
The Secretary of Commerce should ensure that the Director of the Census Bureau develops and obtains management approval of mitigation and contingency plans for all risks that require them. (Recommendation 1)
|
In May 2019, we found that the Census Bureau (Bureau) did not have mitigation and contingency plans for all risks that required them. As we had previously reported, such plans are needed to help the Bureau fully manage associated risks. We therefore recommended that the Bureau develop and obtain management approval of mitigation and contingency plans for all risks that require them. Key to our determination of whether all plans had been approved was a related recommendation that the Bureau's mitigation plans include a clear indication of their status, which we found to be missing. In March 2020, the Bureau updated its decennial risk management plan and, in doing so, required that program but not portfolio risk registers include a clear indication of the status of mitigation plans. In July 2020, the Bureau updated its decennial risk management plan again, implementing the same requirement for mitigation plans in its portfolio risk register. Thereafter, we conducted several reviews of the Bureau's risk registers to determine whether all required mitigation and contingency plans had been developed and approved. As of March 2021, our review found that to be the case.
|
Department of Commerce | The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's decennial risk management plan to include clear time frames for developing and obtaining management approval of mitigation and contingency plans. (Recommendation 2) |
In May 2019, we found that the Census Bureau (Bureau) did not have mitigation and contingency plans for all risks that required them. Some of these risks had been added to the Bureau's risk registers in recent months, but others had been added months and years earlier. The Bureau's decennial risk management plan stated that mitigation and contingency plans should be developed and presented to management for approval as soon as possible after risks requiring such plans were added to the risk registers, but it did not include clear time frames for doing so. Therefore, we recommended that the Bureau update its decennial risk management plan to include clear time frames for mitigation and contingency plan development and approval. In March 2020, the Bureau updated its decennial risk management plan and, in doing so, included clear time frames for mitigation and contingency plan development and approval, ranging from within one to two months of a risk's addition to the risk register, with differences dependent on characteristics such as the risk level (program or portfolio) and plan type (mitigation or contingency).
|
Department of Commerce | The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's decennial risk management plan to require that portfolio and program risk registers include a clear indication of the status of mitigation plans. (Recommendation 3) |
In May 2019, we found that the Census Bureau's (Bureau) decennial risk management plan required a clear indication of the status of contingency but not mitigation plans in its program and portfolio risk registers. Without a clear indication of the status of mitigation plans in the risk registers, we were unable to determine how many of those plans had been approved by management or were still in draft. Therefore, we recommended that the Bureau update its decennial risk management plan to require that both portfolio and program risk registers include a clear indication of the status of mitigation plans. In March 2020, the Bureau updated its decennial risk management plan and, in doing so, required that program but not portfolio risk registers include a clear indication of the status of mitigation plans. In July 2020, the Bureau updated its decennial risk management again and, in doing so, required that portfolio risk registers also include a clear indication of the status of mitigation plans.
|
Department of Commerce | The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's decennial risk management plan to require that risk mitigation and contingency plans, including the risk register descriptions and separate plans, have the seven key attributes for helping to ensure they contain the information needed to manage risk. (Recommendation 4) |
In May 2019, we found that the mitigation and contingency plans for six risks which the Census Bureau (Bureau) identified as among the major concerns that could affect the 2020 Census did not consistently include key information needed to manage the risk. We further found that some gaps stemmed from the Bureau's decennial risk management plan not requiring that mitigation and contingency plans include certain key attributes we identified for helping to ensure they contain the information needed to manage risk. Therefore, we recommended that the Bureau update its decennial risk management plan to require that risk mitigation and contingency plans, including those described in the Bureau's risk register and in separate plans, have the key attributes. In July 2020, the Bureau updated its decennial risk management plan and, in doing so, implemented this recommendation for six of the seven key attributes we identified. The missing attribute was monitoring plans: a description in each mitigation and contingency plan of how the agency will monitor the risk response--with performance measures and milestones, where appropriate--to help track whether the plan is working as intended. According to Bureau officials, rather than requiring this attribute, they instead noted it as a lesson learned for the 2030 Census. In August 2020, we requested documentation of this action and the Bureau agreed to provide it once available. In June 2021, the Bureau provided us documentation showing that it had included this last attribute as a lesson learned for 2030.
|
Department of Commerce | The Secretary of Commerce should ensure that the Director of the Census Bureau holds risk owners accountable for carrying out their risk management responsibilities. (Recommendation 5) |
In May 2019, we found that the mitigation and contingency plans for six risks which the Census Bureau (Bureau) identified as among the major concerns that could affect the 2020 Census did not consistently include key information needed to manage the risk. We further found that some gaps stemmed from risk owners not fulfilling their risk management responsibilities, such as keeping plans up to date. Therefore, we recommended that the Bureau hold risk owners accountable for carrying out their risk management responsibilities. Following our recommendation, the Bureau took a number of steps to implement it. For example, as of August 2019, the Bureau had instituted new measures for monitoring risk status, including three different monthly reports alerting risk owners and others to, among other things, outstanding actions requiring completion. In November 2019, the Bureau implemented new training sessions for all risk owners detailing the steps they must take to manage their risks, in order to ensure full knowledge of risk management responsibilities. As of December 2019, the Bureau had increased the number of full-time staff dedicated to risk management oversight from two to five, to facilitate more frequent communication with risk owners regarding needed actions. These steps, coupled with measures already in place (such as semiannual reviews of portfolio-level risks by top-level management and the inclusion of risk management compliance as a factor in risk owner performance evaluations) should help ensure that risk owners are held accountable for carrying out their risk management responsibilities.
|
Department of Commerce | The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's antifraud strategy to include a fraud risk tolerance prior to beginning the 2020 Census and adjust as needed. (Recommendation 6) |
On October 22, 2019, the Bureau provided us with documentation from its updated antifraud strategy that included a fraud risk tolerance. By providing this update, the Bureau has addressed our recommendation.
|
Department of Commerce | The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's antifraud strategy to include the Bureau's plans for referring instances of potential fraud to the Department of Commerce Office of Inspector General for further investigation. (Recommendation 7) |
On March 2, 2020, the Bureau provided us with documentation from its plan that outlines how to refer potential fraud to the Department of Commerce OIG to investigate. By providing this update, the Bureau has addressed our recommendation.
|