Report 2006-601 Summary - May 2007

High Risk: The California State Auditor's Initial Assessment of High-Risk Issues the State and Select State Agencies Face


Effective January 2005, Government Code, Section 8546.5, authorizes the Bureau of State Audits (bureau) to develop a risk assessment process for the State. Through this process, the bureau will identify, audit, and issue reports with recommendations for improvement in areas it identifies as high risk.

For this inaugural high-risk list, we have identified both risks that encompass multiple state agencies and those that are agency-specific. The following are the significant statewide risk areas:

The following two state agencies meet our criteria for high risk:


Providing the leadership, programs, and services the State needs is a complex business; the use of significant resources and the provision of critical services to the people of California are accompanied by risks. Systematically identifying and addressing high-risk areas can contribute to enhanced efficiency and effectiveness by focusing the State's resources on improving the delivery of services related to important programs or functions. Legislation effective in January 2005 authorizes the Bureau of State Audits (bureau) to develop a risk assessment process for the State. In particular, Government Code, Section 8546.5, authorizes the bureau to establish a high risk audit program to identify, audit, and issue reports with recommendations for improvement in areas it identifies as high risk. The bureau's authority includes initiating audits of areas identified as high risk and requiring the responsible state agencies to periodically report on the status of their progress in mitigating or resolving identified risks.

In some instances risks related to leadership, programs, or services cut across all or multiple state agencies; in other instances one or more of these risks are concentrated in one state agency. For this inaugural high-risk list, we have identified both risks that encompass multiple state agencies and those that are agency-specific. In particular, we believe the State is currently faced with at least five significant statewide risk areas: emergency preparedness, maintaining and improving infrastructure, information technology (IT), management of human resources, and other post-employment benefits of retiring state employees. We further believe that two state agencies meet our criteria for high risk as they face challenges in their day to day and long-term operations: the Department of Corrections and Rehabilitation (Corrections) and the Department of Health Services (Health Services).

California's emergency preparedness system must address a wide range of potential emergencies, some of which can be catastrophic in their effect on public health, safety, and economic well-being. Multiple state agencies play a role in ensuring the State is prepared to respond to emergencies including the Governor's Office of Homeland Security, the Governor's Office of Emergency Services, and Health Services. Despite the heightened awareness of the potential for a catastrophic emergency arising from events such as Hurricane Katrina and the terrorist attacks on the United States in 2001, the State is not as well prepared for emergencies as it should be. The bureau's most recent report on emergency preparedness supports this concern. Among the key concerns the bureau noted in that report were that the State's organizational structure for ensuring emergency preparedness is neither streamlined nor well defined and its annual response exercises have not sufficiently tested the medical and health response systems.

Infrastructure is the underlying foundation or basic framework of a system or organization. The State's infrastructure covers a myriad of assets including roads, bridges, and levees, much of which was constructed in the 1950s and 1960s. Maintenance and improvement needs for these critical State assets have increased as they have aged but have not always been met. Similarly, as the State's population has grown, it is widely acknowledged that we have not always added the infrastructure necessary to accommodate that growth. Until recently, significant financing has not been available to meet infrastructure demands. However, in November 2006 the voters approved an unprecedented bond package totaling $42.7 billion to begin addressing the State's infrastructure needs. The authorization of these bond funds introduces a number of risks that must be addressed. The State must properly plan for the use of these bonds, coordinate the projects the funds will finance, take on debt responsibly, and ensure it meets its fiduciary responsibility to the taxpayers by monitoring and overseeing how these dollars are spent.

Information technology (IT) systems are increasingly important for efficient and effective business practices. Strong IT oversight is critical at a time when the State has IT projects in process which, according to the Department of Finance, currently total nearly $6 billion. However, despite efforts to establish statewide governance over IT, the State's prior models had limited success and did not provide the statewide vision needed to ensure the State invests in IT projects promising the greatest possible benefit. As a result, the State has suffered past IT failures costing taxpayers hundreds of millions of dollars. The State is beginning to implement a new governance model, but the functions of and full level of responsibility for the current model are not yet clear. Without strong statewide oversight and a clear vision of IT needs, the State is at risk for ineffective and improper IT investment and use.

Human resources management is another statewide high-risk area. The State will soon face the consequences of a significant portion of its current workforce retiring. According to the Department of Personnel Administration, 44 percent of the State's current workforce is over the age of 45, and up to 35 percent of these employees are eligible to retire between 2006 and 2010. Staffing shortfalls may reduce the ability of state agencies to perform their missions efficiently and effectively, and significant vacancies could threaten the ability of state programs to deliver critical services. Large numbers of retirements and filling vacancies with quality staff present challenges that are strongly entrenched and far-reaching. These challenges are not limited to any one agency; they have the potential to negatively impact every state agency. As more and more top managers and key staff reach retirement age, this challenge will become more acute.

Another effect of these retirements is the increased cost to the State of other post-employment benefits—those benefits the State pays individuals in addition to a pension, such as health care. The State pays 100 percent of the health insurance cost for retirees, as well as certain other costs, out of annual appropriations on a pay as-you-go basis. The cost of providing these insurance benefits to retirees for the year ended June 30, 2006, was $888 million. With the required implementation of a new federal reporting standard, the State's financial statements for fiscal year 2007-08 will for the first time need to reflect its estimated liability for these future other post employment benefits. In early May 2007 the State Controller's Office issued a report from its actuary estimating the liability at $48 billion as of July 1, 2007. The State's risk here is twofold: whether it can afford to provide the level of benefits promised to its employees while protecting its credit rating. Bond rating agencies have already made it clear they will look with disfavor on governments that do not adequately plan for managing this liability.

Although we do not intend them as a complete list of all the risks state agencies face, Corrections and Health Services presently face significant challenges that warrant inclusion on our inaugural high-risk list. Corrections reports that many of its adult institutions are exceeding their capacity to safely house and rehabilitate inmates and the United States District Court for the Northern District of California placed Corrections' inmate health care system in receivership. Corrections also faces the challenge of continuing to implement a reorganization it began in 2005, a reorganization designed to address many of the problems it faced then and continues to face today. Corrections' reorganization efforts are also at risk because of inconsistent leadership at many management levels.

On July 1, 2007, Health Services is slated to split into two separate departments: the Department of Public Health and the Department of Health Care Services. The primary goal for the split is to provide stronger, more focused leadership over public health and to give the State's role in public health a significantly higher priority. The Legislature has also expressed its expectation for increased accountability and program effectiveness for both the public health and health care purchasing functions the State provides. California faces risks related to program continuity from creating two departments where just one existed before, and the two new departments face challenges of enhancing accountability and program effectiveness to meet the Legislature's expectations.

We will continue to monitor the risks we have identified in this report and the actions state agencies take to address them. To successfully mitigate these risks, we believe the State needs to take certain actions. For example, in the case of the broad areas of risk involving multiple agencies a responsible person, group, or entity must be charged to address the risks. Those responsible parties and the specific state agencies we have designated as being at high risk must demonstrate a commitment to address the risks and have sufficient resources to resolve them. They must develop detailed and definitive action plans along with a process for independently monitoring and measuring the effectiveness of the steps taken. In addition to monitoring these actions, we plan to periodically evaluate the quality and effectiveness of the State's mitigation efforts by conducting audits and making recommendations for improvement. When state actions, including those in response to our recommendations, result in significant progress toward resolving or mitigating these risks, we will remove the high-risk designation based on our professional judgment.