Risk Management

Definition
Risk may be defined as ‘the probability of an unwanted outcome happening’ or a collection of unknown and known factors/possibilities that may impact negatively on the effectiveness of the procurement process and achievement of its wider objectives.

Risk management is a process including the identification and analysis of risk; and the decision to either accept or mitigate the exposure to such risk when compared to the potential impact on the achievement of the organisation’s objectives.

The procurement function should identify risk factors associated with each procurement transaction, analyse the probability of the risk occurring and consider the potential impacts. Risk management plans should then be developed, based on the decision to avoid, assume, or transfer the identified risks. Risk management facilitates the taking of these decisions and actions to control risk appropriately by providing a disciplined and objective approach.

Types of risk
Various types of risk exist for procurement operations and these risks can be both external and internal, as well as strategic and operational. It is important to identify where these risks are located at the commencement of the procurement process. The following are examples of risks to the procurement process:

• escalating costs of fuel, energy, and raw materials
• exchange rate fluctuations
• financial instability of suppliers leading to supplier failure
• supplies not to specification or quality standards
• supplier failure to deliver on contracted obligations
• sole sourcing arrangements
• changes in environment or legislation that affect the supply base

Risk Management Process
The risk management process involves four key activities: risk recognition, risk analysis, risk assessment and risk mitigation:

Risk recognition is the process of identifying all the potential areas throughout the procurement chain where risk is present.
Risk analysis is the process of analysing all the potential areas of risk and estimating the probability of each happening.
Risk assessment is the process of assessing the likely impact of a risk on the organisation. Highly predictable risks may have low impact and therefore it is possibly not worth taking any action to control or avoid the risk. On the other hand, low probability risks can have a significant impact and some form of action may be demanded 'just in case'. The cost of controlling or avoiding the risk also needs to be taken into account.
Risk mitigation involves drawing up plans and assigning responsibilities in order to control and lessen the risks that have been identified and assessed. Risks should then be allocated to an owner who is responsible for managing them, possibly with the help of other team members.

Risk recognition/analysis
Risk recognition/analysis should be part of any significant procurement and supply process. For example, its use is vital when determining the overall strategy for categories of expenditure, sourcing and even tactical procurement. It is a key skill of any procurement professional and its use is vital in controlling (as far as possible) the risks associated with any procurement activity.

Risk recognition/analysis can be either a simple or very formal process. The latter approach is more appropriate for high-value and high-risk projects such as a new IT system (and may involve following a set procedure, working cross-functionally with colleagues, brainstorming and risk evaluation). For more complex situations, the risks should be brainstormed and categorised into groups such as technical risks’, ‘financial risks’, etc.

Recognition/analysis may also be informal, using an iterative process or based on prior experience, for less significant procurement activities. The key task is to be able to identify and analyse all the risks relating to a particular procurement transaction (including the potential impact on the organisation) and to decide what level of effort is appropriate to the circumstances. 

Risk assessment
It is critical to the procuring entity to be able to assess the likely impact of any identified risks on the procurement process and subsequently on the organisation’s operations. It is the role of the procurement professional to identify these risks either in discussion with the supplier and/or with the end user. The existence of a risk register will provide a basis of the historical risks that have affected the procurement function and the measures taken to mitigate those risks. 

Of course, there is a degree of uncertainty whether and when a risk may occur and the potential impact it may have upon the procuring entity and this affects the ability to assess the likelihood of potential risks actually occurring. Human interpretation can also affect the assessment of risk as individuals will have different perceptions of the levels of risk and the potential impact.

Risk is usually assessed in terms of:

Likelihood – the probability of the identified risk actually happening

Severity of impact – what will be the consequences for the organisation of the risk occurring?  Some examples are:

• interruption of supplies
• financial loss
• delay in programme completion
• organisation’s reputation affected
• lives lost

Assessment methodology by combination of likelihood and impact

• assess the probability of each risk occurring (a) on a scale of 1-5 (1 = low, 5 = high)
• determine the severity of the impact (b) on a scale of 1-10 (1 = low, 10 = high)
• identify the total risk factor by multiplying (a) x (b)
• Prioritise the risks: to be treated and monitored

Risk mitigation
Risk mitigation seeks to put measures in place to lessen the severity of an unplanned event should that event occur. Mitigation should apply particularly to those risks that have the potential for the most severe impact and greatest probability. Identification of risks, consideration of their probability, and impacts should lead to a risk management plan that identifies risk mitigation strategies. Some common mitigation strategies are shown below:

Sharing the risk – inserting contract clauses that include provision for adjustments in the schedule or price for identified events, e.g. force majeure clauses, delay for default, suspension of work, differing site conditions in construction, changes, clauses, and terminations for convenience.

Monitoring the risk – reporting/notice and dispute elevation provisions to be used as monitoring methods for events that may increase risk. In appropriate cases, the contractor may be required to have a quality management system that includes periodic reporting requirements and progress meetings between the contractor and agency.

Transferring risk – Risks may be transferred the supplier or other bodies via a number of strategies which include:

1. Insurance – care must be taken to ensure that all types of applicable insurance to be provided by the supplier are identified (comprehensive, general liability, automobile liability, and error and omission) for the contract term or post contract
2. Bid deposit, bond, and security – should be requested in high risk, high value, and highly sensitive acquisitions. The amount of bid deposits should be reasonable and based on the risk and nature of the acquisition in terms of its technical aspects or sensitivity. A bid bond (surety bond, irrevocable letter of credit, a bank note or draft, or an insurance certificate) acts as surety and when submitted will be retained by the procuring entity until the evaluation process has been completed and contact award has been determined.
3. Performance and payment bond – the performance bond should indemnify or protect the public entity for a certain percentage of the value of a contract in the event of default on the part of the supplier, or the supplier in performance of the work covered under the contract.

If the supplier perceives risk to be high, it will build in extra safety and extra margin. The procurement professional should try to identify and improve upon these areas of concern, often in discussion with the supplier.

Various procurement strategies and techniques can make a substantial contribution to the effectiveness of the risk management system. For example, supplier appraisal or tender evaluation can minimise the risk of using unsuitable suppliers.