Академический Документы
Профессиональный Документы
Культура Документы
Session 2.1
Learning Objectives
By the end of this session, participants will be able to Explain the various stages involved in risk management process
Basic Concepts
Risks - The uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk is measured in terms of consequences and likelihood. It is a concept that auditors and managers use to express their concern about the probable effects of an uncertain environment. Since the future cannot be predicted with certainty, auditors and managers have to consider a range of possible events that could take place. Each of these events could have a material effect on the enterprise and its goals. The negative effects are called risks and the positive effects are called opportunities. There may be circumstances or events that should not occur for the procurement process to be successful. If you believe such an event is likely to happen, then it would be a risk.
Notes 2.1
1/8
Session 2.1
Treat Risks
Notes 2.1
2/8
Session 2.1
The above diagram presents risk management process in five sequential stages. However, in practice it may not necessarily be strictly sequential. Although they are five separate definable processes, the information discovered at one stage may require the agency to return to previous stages. Many agencies regard Monitoring and Review as the sixth stage but since it is a continuing process from the stage of Establishing Context till Treating the Risks, it has been shown as a separate process. The outcome of risk management process should be a formal Risk Management Plan. 1. Establish Contexts The first stage in risk management process involves determining key business objectives, processes and resources. In developing a strategy for managing the risks associated with the procurement process, it is important to understand, by all parties, goods to be delivered, the business outcomes and outputs that those goods support, the management environment and the business risks associated with the procurement. This stage involves providing answers to the following questions; What are the objectives and goals of the procurement? (Objectives) Who is interested in or impacted by this procurement? (Stakeholders) What are the measures of success for this procurement? (Criteria) What are the key aspects that make up this procurement? (Key Elements)
Such information establishes the context that defines the overall priority of the procurement to the organisations business, which in turn determines the level of resources that should be allocated to the procurement risk management process. The costs incurred in managing the risk should be commensurate with the size, type and complexity of the procurement and the benefits in terms of reduced levels of risk in order to achieve the primary value for money objective. 2. Identify the Risks This stage involves the identification of possible types of risks. The two major questions that should be asked at this stage are What events could occur that may adversely impact upon the objective of the procurement? (What can happen?) How could these events happen and if they did, in what way would they impact upon the procurement? (How could it happen?)
In many of the major procurements, there could be at least two levels of risk as contract risk and contract management risk: i. Contract Risk These are risk associated with the delivery of the service such as goods not delivered in accordance with the requirements of the contract in terms of cost, quality and quantity. Normally such risks are external and therefore may be considered beyond our control. External risks could be grouped as:
Notes 2.1
3/8
Session 2.1
Political/Regulatory Policy Changes Administrative changes Changes of government etc. Economic/Market Pricing Reviews Cost escalations Suppliers business failure Economic Downturn etc.
Environmental/Natural Fire Flood/landslides Earthquake etc. Technological Viruses Hacking Network Failure Changes in technology etc.
ii.
Contract Management Risk These are risks associated with the management of the contract. Such risks are generally lower and arise from within the organisation. They are less likely to threaten the delivery of goods. However, if they are not managed, they could threaten contract relationship and adversely affect the delivery of goods. Such risks could be grouped as:
Strategic Non identification of key outputs Performance targets not aligned with the outputs Skill/Knowledge gap Change in business objective etc. Operational Failure to meet output targets for time, cost, quantity and quality Skill/Knowledge Gap Environment and safety requirements Staff unrest etc.
3. Analyse the Risks Once the risks are identified, they are analysed in terms of their likelihood and consequences. The questions that should be asked at this stage are; What policy, processes, procedures currently exist and whether they are effective? (Controls) What is the impact on the procurement if the risk occurs? (Consequence) How likely is it that the identified consequence will materialise? (Likelihood) What is the severity of the risk, given the consequence and likelihood? (Level of Risk)
At this stage, the management must see whether the existing controls are enough to mitigate the identified risks. Such an assessment will provide an opportunity to identify ways of improving the internal controls. The impact on procurement process can arise from a range of risk events. Management should assess each event to determine the likelihood of its occurrence and whether it could adversely affect the specified delivery standards in terms of cost, quantity and quality. Such impact areas may be categorised by outputs, resources, reputation, business interruption, compliance and clients/stakeholders while the likelihood of risk occurring could be categorised as frequent, probable, occasional,
Audit of Procurement Process Notes 2.1 4/8
Session 2.1
remote or improbable. The severity of the impact of risk can be determined by establishing relevant evaluation criteria (e.g. low high risk escalating scale against which the impact can be assessed). Careful consideration is required to determine the extent of evidence required to validate findings and conclusions regarding the level and nature of an identified risk. 4. Evaluate and Prioritise Risks Once the risks are analysed in terms of likelihood and consequences, the management has to evaluate and prioritise the risks. The questions that should be asked at this stage are; Are the risks tolerable or is further treatment necessary? (Evaluation) Which risks are to be treated first? Prioritise all risks by assessed risk level (Rank Risks) Are there risks that may be set aside or are so insignificant that they do not require specific action? (Screen Risks)
The outcome of this stage should be the unacceptable risks in accordance of priority that needs to be treated or require specific actions. However, acceptable risks should be monitored and periodically reviewed to ensure that they remain acceptable. 5. Treat Risks The aim of treating the risk is to reduce the risk to a level that is acceptable by the agency. It involves considering alternative options for dealing with those risks that are considered as intolerable or unacceptable. The questions that need to be asked at this final stage of procurement risk management are: What actions can be taken to eliminate or reduce the risks? (Identify Options) What is the best option, or set of options, noting costs and benefits? (Select Options)
Based on the solutions to the above questions, the management has to prepare detailed treatment plans by including resources and other schedule matters. Accordingly, the plan needs to be implemented, with adjustments as and when necessary. The Risk Treatment could offer the following 5 or more options; i. Reduce the likelihood. This involves developing strategies and actions for reducing the likelihood of the risk occurring. E.g. Seeking police protection where there is risk of valuable goods being looted by the robbers. ii. Reduce the consequence. This involves developing strategies and actions for reducing the consequence should the risk occur. E.g. making provisions for loss in transit.
Notes 2.1
5/8
Session 2.1
iii. Transfer. This involves transferring the risk in part or full. Risk transfer can be initiated by; Risk Sharing, where risk exposure is shared between the contracting parties by such methods as pricing structure that are either fixed or cost reimbursement contracts E.g. Management bearing 50% of the cost escalation. Risk Allocation, where only one party or third party such as an insurer bears the risk. It can increase or lower the contract price depending on who bears the risk. E.g. Goods Transit Insurance
iv. Avoid. This involves avoiding the activity altogether if the activity is likely to generate risk. Factors to consider the validity of this option include: What will happen if the activity is not undertaken? Is the risk level too high to proceed/continue with the activity? Is the cost of required controls higher than the benefit of the activity? Will the failure of the activity have critical consequences for other areas of the procurement process.. E.g. if buying from certain country is risky, given the political unrest in that country, then the management can avoid buying from that particular country after considering the above factors. v. Retaining the Risk. This involves retaining the risk and managing it. Such an option normally leads to heavy resource requirement. The risk treatment options could largely depend on the cost and benefits of each option. Risk Monitoring and Review Risks and their priorities do not remain the same. Therefore on-going monitoring and review of the overall risk management process is essential to ensure the efficient and effective delivery of goods. Monitoring and review has to be a continuous process commencing with establishing context. Accordingly new risks and their impact on the procurement process need to be established. The outcome of the overall risk management process should be a formal or informal Risk Management Plan that identifies and ranks all risks and their treatments. Key decisions and factors that led to those decisions should also be recorded for transparency and accountability purpose.
Notes 2.1
6/8
Session 2.1
Summary
Risk Management is a practical planning and problem-solving tool. It involves the concept of controlling the extent of risk and/or the severity of the consequences. In managing risks, a balance needs to be struck between the costs of managing risks and the benefits gained. As a general rule, the aim should be to allocate risks to those best able to manage them provided that the cost of transferring them to that party does not exceed the cost of retaining them.
Notes 2.1
7/8
Session 2.1
While it is essential for an auditor to understand the risk management in the procurement process, one should not forget that there is the auditors own risk (audit risk) in any type of audit. Auditors give an audit opinion based on reasonable assurance, since to do so with absolute certainty would be vastly expensive and near impossible. It is acceptable that audits are performed on a test basis, with a resulting risk that auditors may fail to discover all material errors. Therefore, auditors should also manage their own risk during the process of auditing. Risks are involved in all stages of the procurement process. The subsequent sessions deals with identifying the risks and auditing each stage of the procurement process. Risks identified at each stage in the procurement process can be managed by the auditors by developing an audit plan and checks appropriate to the risk perception and accordingly report his findings. ******.
References
ASOSAI, ASOSAI Guideline for Dealing with Fraud & Corruption ASOSAI, FAIT Workshop Material, 2003 The Public Sector Comparator, A Canadian Best Practice Guide, 2002 ANAO, Better Practice Guide, 1998 CIDB, Procurement Practice Guide, 2003 ACT Insurance Authority, Risk Management Tool Kit, 2004 David McNamee, Assessing Risk Assessment, 1996 Procurement Strategy Council, Managing Procurement Risk, 2003 CSP Practice Note Guide to Limiting Supplier Liability in Australian Government ICT Contracts West Devon Borough Council, Corporate Procurement Strategy
Notes 2.1
8/8