Risk Management is a critical and continuous process, and appropriate Risk Assessments should be undertaken, reviewed and managed throughout the Procurement Journey.
It is important to engage with the marketplace in terms of identifying the desired outcomes, risks and issues. This permits suppliers to provide feedback on how the outcomes might be achieved, the risks and issues as they see them, along with feedback on timescales, feasibility and affordability. It is also best practice to ensure that suppliers are contractually required to provide line item spend details as part of the contract support.
Risks and issues identified should be documented in a Risk & Issue Register. All risks and issues should have clear mitigating actions, appropriate owners and a review date. Risks and issues may be fed into a central organisational risk register so that any overlap can be recognised.
Risks & Issues
A risk can be defined as an uncertain outcome (either positive or negative) that may affect the course of a procurement exercise at a future date.
An issue is a factor affecting the development or the implementation of the commodity/service strategy at the present time. Actions are therefore immediately put in place to resolve the issue due to its urgency.
All procurements will contain risks that may impact on their progress therefore it is important to identify and assess risks in the present so that the risk can be managed to prevent it from becoming an issue.
Why is Risk Management Important?
Effective management of risk helps you to manage innovation and improve performance by contributing to:
- Increased certainty and fewer surprises
- Better service delivery
- More effective management of change
- More efficient use of resources
- Better management at all levels through improved decision making
- Reduced waste
- Management of contingent and maintenance activities
The initial identification of risks and issues with the potential to impact on the objectives of a given procurement exercise is essential in terms of understanding.
Sources of risk can be divided into four categories:
Examples of these categories are in the Sources of Risk table.
Many risks will be generic across all procurement exercises conducted by an organisation however there will also be project specific risks that you must consider.
Once risks are identified they should be documented in the risk register as detailed above.
The purpose of risk assessment is to assess the probability of risks occurring and their potential impact.
|Probability (or likelihood)||Impact|
The evaluated chance of a particular outcome actually happening (including a consideration of the frequency with which the outcome may arise).
The evaluated effect or result of a particular outcome actually happening (usually considered in terms of effect in cost, scheduling and quality).
The risk assessment can be assisted by using a risk probability framework. Example criteria for assessing probability and impact are also available to help with this stage of the Risk Management process.
Once risks have been identified and assessed they must be addressed and controlled. The response must be proportionate to the level of the risk that will have been determined as part of the risk assessment. The table suggests four types of response that may be used to address risks at different levels.
For Risk Control you should consider each of the responses which are explained in more detail below.
Risks should only be tolerated if the result of their assessment is low or very low. The cost of taking an action may be disproportionate to the potential benefit gained. This does not mean no action should be taken at all. You should continue to monitor the risk and note any changes in the situation that may result in an increased level of risk.
The purpose of 'treating' a risk is to reduce the risk to an acceptable level for the organisation. It is likely that a large number of risks will belong to this category. There are many courses of action an organisation could take to 'treat' risks.
Before deciding to transfer a risk to a third party, you should consider who is best placed to manage the risk. It may be that the risk is best managed internally within your organisation. It is also possible that transferring risk to a supplier will result in a significant cost to your organisation and this should be considered before taking this course of action. Also remember that whilst you can transfer responsibility for an action, you cannot transfer accountability.
Review & Rethink Strategy
If the assessed level of a risk is very high, you may need to reconsider your approach. In some circumstances it may be necessary to stop the current course of action and start over. It should be noted that the option to terminate activities should be exercised as a last resort, where other courses of actions have not mitigated the risk to an acceptable level. You should consider that the reason a number of activities are conducted in the public sector is because the associated risks are so great that there is no other way in which the output or outcome, which is required for the public benefit, can be achieved.
When controlling risks at the contract management stage, cooperation and dialogue between a contract manager and supplier should be actively encouraged. If suppliers feel able to share information about potential problems at the earliest opportunity then small issues can be dealt with and not escalate.
One of the most common approaches to monitoring risks is the use of a risk register. The risk register should be set up at the start of the project and reviewed at each stage of the procurement and contract management process e.g. Strategy, ESPD, ITT, Contract Award, and Contract Review Meetings.
Risk monitoring should be a continuous process.
A risk register should contain the following information as a minimum:
- Risk identification number
- Risk Owner
- Description of Risk
- Results of assessment (Probability/Impact) and date of assessment
- Mitigating Actions - what are you going do to address the risk
- Date when the risks will next be reviewed
The ownership of risk must be clearly defined within the risk register and agreed with the individual owners. This will ensure understanding of roles, responsibilities and ultimate accountability. Individual owners should have the capability, authority and experience to deal with risk/s allocated to them.
In order to maintain a historical record of risks identified and mitigating actions taken, a new version of the risk register should be completed at each review stage.