In 2015, the California Legislature passed the State Leadership Accountability Act (SLAA).  The act updated previous legislation. The purpose of SLAA was to broaden the reporting requirements to operational and programmatic activities. It reemphasized the responsibility of management to establish and maintain effective systems of internal controls. It also set up bi-annual reporting requirements and included risk assessment as part of the internal controls.

The latest report is for the year 2021. This piece looks at the overall risk assessment for the state from 2017 to 2021 and the California State Transportation Agency’s (CalSTA) risk report for the same period.

Most Common Risk for California

The table below shows the top five reported risks for the state of California for 2017-2021.

As can be seen, Staffing of Key Personnel Dependence and Workforce Planning is the top risk identified by state agencies. Recruitment, Retention and Staffing Levels is the fifth risk. Both are related and indicate that recruitment, retention, and succession planning is a problem. One can also see that in both cases the concern for each risk went up in 2019 but decreased in 2021. The Funding risk showed a similar trend. The Technology-related risks stayed on an upward trajectory.

One of the problems is that this report and the individual agency reports do not indicate the effectiveness of the mitigative measures. Except for Staff-related risks, all the 2021 risks are higher than 2017 levels. From 2017 to 2019 in most cases whatever mitigative actions agencies were taking were failures. In each case the concern increased. Further, it increased substantially.

The 2019 mitigative action did have an impact, but the risks concerns are higher than 2017.  This would signal that “Huston We Have A Problem” with the effectiveness of our mitigative efforts. One contributor may be that state agencies have different risks priorities from one report to the next. Another may be the lack of effective risk mitigation efforts. This can be seen in an examination of CalSTA’s report.

But before that is examined, it is worth indicating the methodology agencies use in identifying their risks.

Risk Identification Methodology California State Transportation Agency

CalSTA executives and midlevel managers participated in the risks assessment process. The risk assessment process included: brainstorming meetings, ongoing monitoring of activities, potential impact of remediation efforts and risk appetite. Once the risks are identified, they are evaluated and prioritized based on their likelihood of occurrence, potential impact on the agency’s mission, potential impact of remediation efforts and tolerance level (appetite) for each type of risk.

As part of the risk assessment process each participant is asked to:

1. List the principal functions associated with their position and operational area.
2. Rate each function as low, moderate or high based on the impact on the agency’s mission and goals.
3. Identify the risks associated with each function and rate them on a high or moderated impact scale.
4. Rate the probability that each risk will occur as either low, medium, or high.
5. Rate the impact of each risk as low, medium, or high.
6. Identify the controls that exist to prevent the risk from occurring.
7. Describe the regular and ongoing monitoring processes that are in place to ensure that the controls are functioning properly.
8. List any corrective actions that need to be taken and the date the actions will be completed. (2)

(This process is used by all California agencies submitting SLAA reports. The risk identification and assessment process are consistent with ISO 31000:2018 and COSO ERM.  For those interested in a deeper dive into the reports or want to see different agency reports, the state Library has catalogued all the SLAA reports. Thus, any interested party can go down the list agencies and find the filed reports for 2015 through 2021.)

Having discussed the risk identification and mitigation process, let’s turn to the 2017-2021 risk reports for CalSTA.

California State Transportation Agency

CalSTA consists of seven entities. Each entity has a focus on safety and sustainability as they relate to California’s transportation system. CalSTA provides cabinet-level attention and coordinates the policies and programs for the following state agencies.

1. The Department of Transportation
2. The Department of Motor Vehicles
3. The Department of the California Highway Patrol
4. The Board of Pilot Commissioners
5. The High-Speed Rail Authority
6. The California Transportation Commission
7. The New Motor Vehicles Board

In 2017 CalSTA identified two key risks. (3) They are consistent with categories 1 and 5 in Table 1. The first risk is below.

• Risk Operations – Internal Staff – Key Person Dependence, Workforce Planning

CalSTA is anticipating a change in Governor-appointed staff as it relates to the change in the Executive Branch. While CalSTA recognizes this risk is associated with organizational restructuring, CalSTA is focusing its efforts to pursue its primary mission regardless of the anticipated restructuring.

The mitigative action is as follows.

To mitigate this risk, the CalSTA executive team meets on a regular basis to discuss various topics, including issues and workload within each executive’s applicable program area. In addition, current staff will compile documents identifying key issues facing CalSTA.

For 2019 three risks are listed. (4) These are different from 2017. They are:

• Local Assistance Contracts Management System
• Information Security Tools
• Procurement/Contracting for CalSTA/OTS

For 2021 five risks are listed. Only one is the same as 2019. The five risks are:

• No Local Assistance Grants Management Resources
• Mandated Training and Personnel Evaluation
• Disruption to Internal Communications
• Disruption of Internal Functions
• Tracking Equipment Assigned to Remote Workers

Since Local Assistance Grants are a similar risk from 2019 to 2021, it is worth examining mitigative efforts. The mitigation efforts for the 2019 Local Assistance Contracts Management Systems are as follows.

CalSTA does not have an automated system to help with the tracking of its local assistance contracts and grants. It uses a spreadsheet. It is recognized that an automated system is needed.

The mitigative efforts for 2021 No Local Assistance Grants Management Resources are as follows.

CalSTA’s staff has used a spreadsheet to manage its contracts and track related reporting requirements, termination dates, and other specific requirements. However, with the significant increase in local assistance funding included in CalSTA’s budget, CalSTA has requested that Caltrans assist with grant management functions.

Discussion

The state of California has a robust risk management process in place. The risk assessment and evaluation process are consistent with that outlined in ISO 31000:2018 and COSO-ERM. The problem is the mitigative efforts. It is difficult to determine from the report whether the risk mitigative efforts are truly substantive or performative. The indication from the 2019 and 2021 Grants Management risks indicate it is more performative. Having identified in 2019 the need to automate its grants management system, two years later CalSTA is asking Caltrans for assistance. If Caltrans had a grant management system up and running two years ago, why was it necessary in 2021 to ask for assistance? If the grants management system is just up and running, why didn’t CalSTA install a similar system at the same time?

I am not making a judgement here. There is too little information for that. What I am saying more generally, is that without a robust, detailed, and sustained mitigative effort, the risk management process fails to accomplish its primary task – risk management.

Endnotes

1. SLAA 2021 Reporting Notification, 2021, https://dof.ca.gov/programs/osae/state-leadership-accountability-act-slaa/#:-:text=SLAA%2021%Reporting%Notification%20New%in%2020.
2. California State Transportation Agency, 2021, 2021 Leadership Accountability Report, December 28, 2021, page 3, https://www.library.ca.gov/government-publications/slaa/
3. 2017, op cite, pages 4.
4. 2019, op cite, pages 4-5.
5. 2021, op cite, page 4-5.

BIO

James J. Kline, Ph.D., CERM, He has worked in federal, state, and local government. He has authored numerous articles on quality in government and risk analysis. His book Enterprise Risk Management in Government: Implementing ISO 31000:2018 is available on Amazon. He is also the editor of Quality Disrupted. It is also available on Amazon. He can be reached at jamesjk1236@outlook.com.