The Census Bureau does not have complete mitigation or contingency plans against already identified risks, including potential security and fraud risks, the GAO has said in the latest of many warnings from that agency, the Commerce Department IG and others about the headcount that is now less than a year away.
A report said that as of December, the bureau had identified 360 known risks, of which 242 required a mitigation plan–232 had one—and 146 required a contingency plan–102 had one. However, in a close look at six of the known risks involving cybersecurity, systems integration and other issues, GAO found that the plans “did not consistently include key information needed to manage the risk.”
“GAO found that gaps stemmed from either requirements missing from the bureau’s decennial risk management plan, or that risk owners were not fulfilling all of their risk management responsibilities. Bureau officials said that risk owners are aware of these responsibilities but do not always fulfill them given competing demands,” a report said.
Officials told GAO that some actions are being taken that are not reflected in those plans, but GAO said that “if such actions are reflected in disparate documents or are not documented at all, then decision makers are left without an integrated and comprehensive picture of how the bureau is managing risks to the census.”
It added that while the bureau’s approach to fraud risk generally aligns with leading practices, it has not yet determined the program’s fraud risk tolerance or outlined plans for referring potential fraud for investigation.