#196 – THE STATE OF CALIFORNIA’S RISK CATALOG – JAMES KLINE PH.D.

aIMG_4231-150x150Introduction

In 2015, the California Legislature passed the State Leadership Accountability Act (SLAA).  The act updated previous legislation. The purpose of the update was to broaden the reporting requirements to operational and programmatic activities. It reemphasized the responsibility of management to establish and maintain effective systems of internal controls. It also set up bi-annual reporting requirements and included risk assessment as part of the internal controls.  To assist departments and agencies with the risk assessment, in 2017, the Department of Finance published the State Leadership Accountability Act Risk Catalog.

With the passage of the SLAA, California joins Tennessee and Washington in mandating the use of Enterprise Risk Management (ERM). The development of the risk catalog strengthens the ERM implementation effort and provides a reference for not only California state agencies, but any other government interested in implementing ERM. This piece discusses the catalog.

Purpose

The catalog is designed to provide a standardized risk language for the SLAA reporting.  It is also a tool which may assist any state entity in:

  • Categorizing significant risks for the SLAA report.
  • Compiling risks identified by various units within the entity into common risk areas.
  • Providing ideas during risk assessment brainstorming sessions.

The catalog standardizes the language by grouping risks into the following three areas.

  • Risk categories – current internal control standards for objectives.
  • Risk subcategories – internal or external source of the risk.
  • Risk factors – specific categories with definitions and examples.

Foundation Source

The catalog’s risk category structure is based on two primary documents. The first is the Internal Control – Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission. The second is the Standards for Internal Control in the Federal Government (Green Book). In addition, feedback was obtained from entity staff and previous SLAA risk assessment reports.

SLAA Risk Categories

The catalog includes a one-page overview, followed by a more detailed listing of the risk categories and risk factors. The table below excerpts from the overview.

 

Screen Shot 2018-02-18 at 6.09.26 PM

Two things should be highlighted. First, there is overlap between internal and external risks. Being able to identify the overlaps enables the organization to develop mitigation strategies for the overlapping risks. Second, overlaps not only occur between the internal and external sources, they occur among organizational subsections. Thus, taking an enterprise wide approach to risk mitigation improves organizational efficiency, by allowing it to more efficiently allocate resources.

Conclusion

With the passage of the SLAA, California joins Tennessee and Washington in mandating ERM.  The inclusion of risk assessment in the SLAA bi-annual reporting requirement, means that risk assessment is going to become a standard operational function. By making management responsible, risk assessment will also become a required management skill set. By developing a risk catalog, the state has not only standardized the structure of the SLAA report but provided a tool which reinforces an enterprise wide approach to risk assessment. Finally, for those interested in the implementation of ERM, the catalog provides a good reference for both discussion and implementation.

Bio:

James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager.  He has over ten year’s supervisory and managerial experience in both the public and private sector.  He has consulted on economic, quality and workforce development issues for state and local governments.  He has authored numerous articles on quality in government and risk analysis. jeffreyk12011@live.com

 

Leave a Reply

Your email address will not be published. Required fields are marked *