Mitigating Risk in Procurement

In any procurement there is an element of risk; the contractor may fail to deliver, the
products/service/works may prove unsatisfactory in operation, the contractor’s business may fail, or the
contractor may abscond; the commercial environment may alter considerably for reasons outside of
your control. It is essential, therefore, that steps are taken to mitigate such risk. Mitigation seeks to put
measures in place to lessen the severity of an unplanned event should that event occur.

Hazard Identification
A hazard is anything that has the potential to cause damage. That damage could be physical,
environmental, emotional or financial. In assembling a contract, the hazards likely to be encountered
should be identified. The associated risks can then be analysed and evaluated.

Risk Analysis

Once the hazards have been identified, the risk, or likelihood that the hazard may actually do some
damage, can be analysed and the appropriate steps taken to lessen the severity of the event or mitigate
the risk. For instance; when drilling through a wall, the electrical cables in the wall are a hazard
because the operator could be electrocuted if the drill comes into contact with them. The risk of such
an occurrence is mitigated or lessened by switching off the electricity supply to those cables, so that if
the drill does come in contact with them the operator suffers no harm.

Similarly, in business, there are hazards associated with all contracts. The risks associated with these
hazards should be carefully assessed and appropriate steps taken to lessen their severity. It may be that
the price of a particular commodity is very volatile and that the hazard is that it may become so
expensive that it also becomes unaffordable. By buying forward and guaranteeing supplies at a set
price for a set period the risk is mitigated. You may even need to borrow money to fund such a
purchase, but the cost of borrowing those funds may be significantly lower than paying the higher price
for the commodity later on.

In doing this, the severity of the event is lessened i.e. you may have to pay more initially because you
will be paying interest, but the interest may well be less than the price increase.

Carmarthenshire County Council in Wales has prepared an extensive discussion document on Risk in
Procurement. It is a useful document to use when building your knowledge of Risk Mitigation in
Procurement.

AA 20/08/04 Page 1 of 7
Carmarthenshire County Council, Wales, Discussion Paper on Procurement Risk and the
Integration of Procurement Risk into the Procurement Cycle

What is business risk?

The Economist Intelligence Unit defined business risk as “the threat that an event or action will
adversely affect an organisations ability to achieve its business objectives and execute its strategies
successfully”.

What is Carmarthenshire County Council’s view of business risk?

The Council is externally focused and values innovation. It seeks to exploit opportunities to improve
and strategies and policies are modified to reflect changing circumstances. The Authority seeks to learn
from its experiences and promotes a “can do” attitude. These are the traits of an organisation that
embraces risk culture, recognising that risk needs to be managed but cannot be avoided.

How does procurement risk differ from business risk?

Public procurement is a strongly regulated area but is ultimately concerned with turning strategy and
policy into action on the ground. It is an area where the actions of the Council are clearly visible both
in terms of outcomes and the process by which those outcomes are delivered. Procurement risk can
therefore be seen as an action or event relating to the acquisition, management or disposal of goods,
works or services which adversely affects the ability of the Council to deliver its services to
stakeholders, in a fair, transparent and non-discriminatory way.

What sort of procurement risks might arise?

The Council’s Risk Management Strategy defined eight categories of strategic risks and seven
categories of operational risk. These can be viewed from a procurement perspective:

Strategic Risk

Defined as risks that need to be considered in judgements about medium to long term goals and
objectives of the Council (say over the term of the Community Strategy i.e. 2004 –2020)

• Political: those associated with a failure to deliver either central or local government policy or
to meet the local administrations manifesto commitments e.g. a failure to integrate
sustainability considerations into acquisition decisions.

• Economic: those affecting the councils’ ability to meet its financial commitments e.g. failing
to consider the consequences of proposed major investment decisions prior to an acquisition.

• Social: those relating to the effects of changes in demographic, residential or socio-economic

trends on the council’s ability to deliver services e.g. failure to procure sufficient elderly care
provision for an ageing population.

• Technological: those associated with the councils capacity to deal with the pace/scale of
technological change or its ability to use technology to address changing demands e.g. a
failure to procure the appropriate software to allow the for efficient financial management of
the authority.

• Legislative: those associated with current or potential changes in national or European law e.g.
a failure to address the European WEEE Directive concerning the disposal of electrical goods.

• Competitive: those affecting the cost or quality competitiveness of a service e.g. the failure to
address a failing service through improvement, market testing or outsourcing.

AA 20/08/04 Page 2 of 7
 • Customer/citizen: those associated with the failure to meet the current or changing needs and
expectations of customers and citizens e.g. the demand to improve the availability of public
transport

AA 20/08/04 Page 3 of 7
Operational risk

These are risks that managers and staff will encounter in the daily course of their work. They may be:

• Professional: those associated with the practice of procurement e.g. failure to include specific
contract terms leading to contract failure.

• Financial: those associated with a failure to secure a most economically advantageous

outcome to an acquisition e.g. the failure to apply lifetime costing techniques in a tender
evaluation or the failure to apply appropriate financial appraisal techniques prior to contract
award leading to supplier failure.

• Legal: those related to possible breach of legislation e.g. failing to advertise a contract under
the European Procurement Directives.

• Physical: those related to fire, security, accident prevention and health and safety e.g. failing
to procure properly labelled cleaning materials.

• Contractual: those associated with the failure of contractors to deliver services or products to
the agreed cost and specification e.g. delivery by contractors of substandard or out of date
food product.

• Technological: those relating to a reliance on operational equipment e.g. exclusive reliance on

an e-procurement system to deliver critical supply acquisition.

• Environmental: those relating to pollution, noise or the energy efficiency of ongoing

operations e.g. reliance on unsustainable sources of wood for building and furniture.

As the paper suggested, these categories are neither prescriptive nor exhaustive and cannot be
considered in isolation. For example, a professional failure to include appropriate terms in a window
cleaning contract might combine with a physical event, like a ladder falling, which would lead to a
legal challenge for personal injury.

How can procurement risk be assessed?

These key questions help to identify risks:
• When, where, why, how are the risks likely to occur?

• What is the source of each risk?

• Who might be involved?

• How often might these risks occur?

• How reliable is the information?

• What are the consequences of each risk?

• What is the potential cost in time, money and resources?

• What controls presently exist to mitigate the risk?

• What are the accountability mechanisms - internal and external?

• Is there a need to research specific risks or seek further information?

AA 20/08/04 Page 4 of 7
The assessment of procurement risk should not be seen as something sitting outside the existing
procurement practice adopted by the authority, it should be very much a natural consideration within
the 8 stage procurement cycle.

The 8 stages of the procurement cycle are: -

Stage 1 - Identification of Business Need

Stage 2 - Creation of a Business Case

Stage 3 - Preparing for the Quotation or Tender exercise

Stage 4 - Undertaking the Quotation or Tender exercise

Stage 5 - Confirm the Investment Decision

Stage 6 - Award & Implementation of Contract

Stage 7 - Management of the Contract

Stage 8 - Review and Consider options for future

Stage 1 (Identification of Business Need) This requires officers to start to think about the main areas of
risk involved in a procurement. There is no formal requirement to record procurement risk thoughts at
this stage.

Stage 2 (Creation of a Business Case) This requires officers to complete a Tender Record Form
(formally the Tender Strategy Form). This is where we start to formalise things by adding the question
"Have you / do you intend to carry out a risk analysis and produce a risk register to allocate and
manage the mitigation of procurement risk? This will ensure that officers consider risk at a pre-
specification stage.

Stage 3 (Preparing for the Quotation or Tender exercise) If the answer to the stage 2 question is "yes"
(or if it is "no", but without good reason) we should require the Lead Officer (perhaps with the
Evaluation Panel or with whoever is involved in drafting the spec) to produce a Procurement Risk
Register which identifies risks (and opportunities) and allocates the management of mitigation of those
risks. This will be the document that identifies the drivers for the contact management approach. A
simple template for the Risk Register will be provided by the Central Purchasing Unit.

Stage 6 Award & Implementation of Contract) Prior to award of contract the Lead Officer should
revisit the Procurement Risk Register and check that risk has been appropriately allocated and that it is
appropriate to award the contract on this basis.

Stage 7 (Management of the Contract) Contract management arrangements should be sufficiently

flexible to allow for the review of the risk register and revision of mitigation plans at appropriate
intervals.

Stage 8 (Review and Consider options for future) This stage should always include an assessment of
how well risk was managed and comment on the future allocation of risk in any forthcoming contract.

What is a Procurement Risk Register?

A Procurement Risk Register, in its most basic form, is a list of the risks associated with a specific
procurement and a response to those risks. Responsibility for acting on the risk is assigned to a specific
person to manage. The “list” is applicable only to the particular procurement and the principle is to

AA 20/08/04 Page 5 of 7
identify risk and allocate this to the party best suited to manage mitigate or eliminate it. The Register is
a live document throughout the project and should be seen as fluid, responding to developing
circumstances as appropriate.

AA 20/08/04 Page 6 of 7
Who draws up and maintains the Procurement Risk Register?

Staff involved in identifying risks must be knowledgeable about the policy, program, process or
activity being reviewed. Where it is complex, very few people may understand all of its elements and it
may be best to work with a group. The procurement project team (possibly the tender evaluation team)
would usually complete the register.

The Risk Register would be maintained by the departmental procurement Lead Officer for the project
and would form part of the project file informing both the approach to competition, development of
tender documentation, supplier selection and subsequent contract management.
.
What should I include in a Risk Register?

Each Risk Register (normally drawn up in chart form) will contain the following headings:

Author i.e. person identifying the risk

Potential Failure and Cause i.e. a text description of the issue
Direct Consequence i.e. a text description of the output of the issue
Mitigation Response i.e. a text description of what must be done to mitigate the risk
Manager i.e. person responsible for managing the mitigation of the risk.

AA 20/08/04 Page 7 of 7