managingriskinprocurement.pdf

Managing Risk in Procurement of 14 November 2013

© Department for Education and Child Development 2013

Guideline ID no MR2961/2004

MANAGING RISK IN PROCUREMENT

GUIDELINES

This guideline is applicable to: All DECD Staff; All School Governing Council/School Council Members; Pre-School Management Committees; and DECD Ministerial Committees.

Managed by: Procurement Unit

Responsible position: Assistant Director, Procurement and Contracting

Version: 4.2

Contact person: Ty Potticary

Approved by: Chair, Procurement Governance Committee

File number: 2961/2004

Contact position: Senior Project Officer, Procurement/Fleet

Date approved: November 2013

Status: Current

Contact number: 8226 1347

Next review date: November 2014

Security classification: Not Classified

Document uncontrolled when printed

http://www.decs.sa.gov.au/services/pages/leglegal/copyright/



CONTENTS

1. TITLE ................................................................................................................................................ 3 2. PURPOSE.......................................................................................................................................... 3 3. SCOPE ............................................................................................................................................... 3 4. OBJECTIVES.................................................................................................................................... 3 5. RISK MANAGEMENT .................................................................................................................... 3

6. THE RISK MANAGEMENT PROCESS ......................................................................................... 4 6.1 Communication throughout the Process ...................................................................................... 4 6.2 Establishing the Context (Internal and External) ......................................................................... 4 6.3 Risk Identification........................................................................................................................ 4 6.4 Risk Analysis ............................................................................................................................... 5

6.5 Risk Evaluation ............................................................................................................................ 5

6.6 Risk Treatment ............................................................................................................................. 5 6.7 Risk Management ........................................................................................................................ 6

7. ROLES AND RESPONSIBILITIES ................................................................................................. 7 8. MONITORING, EVALUATION AND REVIEW ........................................................................... 7 9. ASSOCIATED DOCUMENTS ........................................................................................................ 7 APPENDIX 1 – IDENTIFYING RISK EXAMPLES ............................................................................... 8 APPENDIX 2 – TABLE 1 DECD RISK ASSESSMENT CRITERIA MATRIX ..................................... 9

APPENDIX 2 – TABLE 2: DECD RISK RATING MATRIX ............................................................... 11

APPENDIX 3 – RISK ASSESSMENT TABLE ...................................................................................... 12 APPENDIX 4 – RISK TREATMENT OPTIONS ................................................................................... 13 APPENDIX 5 – EXAMPLE OF DETAILED RISK MONITORING TABLE ....................................... 14

REVISION RECORD

Date Version Revision description

Nov 2013 4.2 Aligned common procurement risk categories (Appendix 1) to State Procurement Board information. Updated department name (DECS to DECD)




1. TITLE

Managing Risk in Procurement.

2. PURPOSE

The DECD Managing Risk in Procurement Guidelines have been developed to assist in the identification and minimisation of risks involved in the acquisition of goods and services.

3. SCOPE

These guidelines apply to all Department for Education and Child Development (DECD) staff, school governing councils/school councils, pre-school management committees and DECD ministerial committees.

4. OBJECTIVES

The guidelines are to assist in developing an understanding of risks inherent to procurement, and the components and processes of risk management in procurement.

5. RISK MANAGEMENT

The South Australian Government’s Risk Management Policy Statement (2009) places responsibility on agency Chief Executives for the effective and timely implementation of risk management standards and practices, in accordance with the Australian/New Zealand Standard AS/NZS ISO 31000:2009. The International Risk Management Standard AS/NZS/ISO 31000:2009 defines risk as the ‘effect of uncertainty on objectives’. A risk is a future condition or circumstance which could impact on objectives if it occurs, whereas an issue is a current event or condition which should be dealt with. Risk is measured in terms of a combination of the consequence/impact of the event and their likelihood and may have a positive or negative impact. Risk management is the systematic, positive identification of threats and the identification of opportunities for the best use of resources. It also involves the development of appropriate strategies to manage risk and enable an organisation to take appropriate action towards the management of resources. DECD has established a department-wide risk management policy/framework which is based on the South Australian Government Policy. For further information on this overall risk management framework, please refer to the DECD Risk Management Policy. The DECD Managing Risk in Procurement Guidelines specifically target risk management relating to procurement activities within DECD.




6. THE RISK MANAGEMENT PROCESS

The level of detail and effort required to manage risk in procurement will vary depending on the nature and value of the procurement.

As a guide, the following key steps in the risk management process are provided for consideration when undertaking procurement:

6.1 Communication throughout the Process

Undertake communication and consultation with the relevant internal and external stakeholders. This ensures that all stakeholders share the same understanding of risks within each procurement project and how they are to be handled.

6.2 Establishing the Context (Internal and External)

To establish the context, we must understand the environment in which the procurement is being undertaken, in line with the organisation, stakeholders, strategy and the associated importance of risk management for that transaction.

To establish the risk management context for the procurement consider the following:

the organisation’s cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment;

the importance of the procurement to the business and its objectives;

the relationships with, and perceptions of and values of internal and external stakeholders;

capabilities in terms of resources such as people, processes, capital, systems and technology;

the organisation’s approach to risk in terms of levels of acceptable risk;

defining responsibilities for risk management in the procurement process; and

previous experience or lessons learned with similar contracts.

6.3 Risk Identification

All procurement projects require the identification of potential risks associated with the procurement. There are a number of useful tools and techniques that can be used, including:

checklists

brainstorming

systems analysis

drawing on outside experience

SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis Examples of common risk categories in a procurement context have been provided in the State Procurement Board’s Risk Management Guideline, and are included in Appendix 1 for ease of reference.




6.4 Risk Analysis

Risk analysis is a process of determining why, how and where a possible risk might occur. It involves identifying existing controls (if any), including an assessment of the effectiveness of those controls. In determining the level of risk associated with procurement transactions, two key elements require consideration:

Likelihood: How likely is it that the potential risk will occur?

Consequence: What would happen if the potential risk eventuates?

6.5 Risk Evaluation

Once the likelihood and consequence of the identified risks have been analysed, it is necessary to evaluate and prioritise the risks so that the most significant risks are treated first.

Within DECD, all Procurements $220,000 and over (GST Inclusive) require the completion of a ‘Full Acquisition Plan’, which includes a risk assessment. Worksites must demonstrate how the procurement will manage any current risks identified. One way of doing this is to rate the specific risks as either extreme, high, moderate or low depending on the combined ratings of the likelihood and consequences. The Risk Assessment Criteria Matrix and Risk Rating Matrix shown in Appendix 2 provide guidance on how risks can be prioritised in this way.

Risk assessment information can then be recorded in the department’s Standard Risk Assessment Risk Identification and Assessment Table (Appendix 3).

For lower value procurement under $220,000 (GST Inclusive) the same principle applies, but may not require the same level of input. For example, the ‘Simplified Acquisition Plan’ used by Central and Regional Offices will only require identifying risk treatment strategies for identified risks, and the risk rating matrix (Appendix 2) will not be necessary.

Schools and Preschools undertaking procurement below the $220,000 threshold may also wish to conduct a more simplified risk assessment where the procurement is of a routine or simple nature.

6.6 Risk Treatment

Depending on the level of risk identified, the following risk treatment options may be considered:

Accept the risk (where there is no feasible treatment option it may be appropriate or where the impact of the risk is minimal);

Avoid the risk;

Reduce the likelihood of occurrence;

Reduce the consequences (e.g. contingency plan should the risk occur);

Share the risk (e.g. insurance).

Appendix 4 provides details on applying the actions and examples.




6.7 Risk Management

An important step in managing procurement risk is to ensure that the situation is monitored and corrective action is taken where appropriate.

One method of risk monitoring could be via a ‘risk management plan’ - an action plan that outlines how the identified risk will be managed. A risk management plan can take any form as long as it describes what is going to be done, who is going to do it and when. Risk management plans can be recorded in the Department’s approved Risk Assessment Table.

The level of detail in risk management should be commensurate with the level of risk of the project. If the risk rating process produces a high rating, more detailed monitoring and reviewing needs to be carried out. If the rating is low, a less detailed review is required.

An effective risk management plan may include the following items:

A statement of the project or contract objectives and critical success factors;

An assessment of the adequacy of the objectives or targets;

A structure of how the risks will be identified and analysed;

An assessment of the product or service features;

A list of risks under each category showing the likelihood and consequence ratings of each risk;

An action plan showing the priority of each risk and how the risks will be managed; and

A statement about how the risk will be reviewed during the project.

All DECD worksites should monitor risks and the effectiveness of treatments on a regular basis. The nature of risk may change throughout the course of a procurement process and it is likely that the risk management process may need to be repeated and appropriate action taken as required. In all cases, there is a need to record risks along with the applicable treatment.

Details of when and how the risk management plan will be reviewed, and who will do it can be recorded in the Risk Monitoring Table (refer to Appendix 5).

For further information or assistance on the Risk Management process relating to procurement processes, please contact the Procurement Unit on (08) 8226 1610.




7. ROLES AND RESPONSIBILITIES

Party / Parties Roles and responsibilities

Chief Executive The Chief Executive is accountable for ensuring that risk management frameworks that relate to the organisation’s business and organisational context are developed and implemented.

Managers Managers are responsible for ensuring staff undertaking any procurement processes within their role are sufficiently informed about relevant procurement procedures and guidelines.

Managers include Executive Directors, Directors, Assistant Directors, Principals and Supervisors.

Staff Employees required to undertake purchases on behalf of their worksite should familiarise themselves and maintain currency with relevant legislation and government / department procurement requirements.

8. MONITORING, EVALUATION AND REVIEW

The Procurement Unit will review this guideline on a yearly basis, or upon changes to government requirements if this occurs sooner.

9. ASSOCIATED DOCUMENTS

DECD Risk Management Policy

DECD Risk Management Framework

DECD Glossary of Risk Management Terms

State Procurement Board Risk Management Guideline




APPENDIX 1 – IDENTIFYING RISK EXAMPLES (The following is not an exhaustive list and different risks may be identified based on the nature of the procurement) Risk Category Examples

Planning and Preparation Unrealistic time/cost expectations

Conflict with existing contracts/supply arrangements

Limited capacity to access necessary information

Legal complexities

Delays in obtaining approvals

Incorrect method of approach selected

Product/Service Limited availability

Complex to manufacture/source

Integration of the product into existing environment

Delays in delivery, testing and installing

Unsafe use of hazardous materials or practices

Final product/service does not meet expectations

Procurement Process Lack of probity or unethical behaviour

Changes to scope and/or specifications

Proper processes are not followed

Risks are not adequately managed

Tender process does not achieve value for money

Government policies not followed

Industry and Suppliers Lack of interest in response to tender

Limited number of potential suppliers

Industrial disputes

Lack of capacity of individual contractors

Complacency in long term supplier relationships

Non performance of contractors

Management Inappropriately qualified or resourced project team

Lack of communication amongst team/facilitators

Responsibilities of project staff not clearly defined

Expectations and objectives unclear

Contract is poorly managed

Loss of corporate memory relating to contract

Unethical behaviour/conflicts of interest

Stakeholders Public sensitivity/high level of media scrutiny

Conflict among stakeholders

Change in government policy/political demands

Ineffective communication and consultation

Contract Offer lapse before execution

Errors/omissions in the contract

Default by the supplier/termination of the contract

Payments made in advance of goods/service received

Acceptance of suppliers’ terms and conditions

Bank guarantees

Procurement objectives not realised

Unplanned changes to scope and/or technology

Lack of proper records

Mismanagement of sub-contractors

Unjustified contract extensions/amendments

Fraud




APPENDIX 2 – TABLE 1 DECD RISK ASSESSMENT CRITERIA MATRIX

This table is a generic table intended as guidance on apply consequence ratings and should be adapted to and interpreted for specific procurement risk assessment processes.

Risk Categories

Strategic Financial Operational

(Service Delivery, People, Technology)

Legal/ Regulatory/ Compliance Reputation

Co

ns

eq

ue

nce

Catastrophic/

Critical

Significant impact on DECD’s ability to achieve its strategic objectives in relation to learning and care of students and children

Significant impact on DECD’ ability to achieve its corporate, governance and accountability strategic objectives

Ongoing loss of critical infrastructure

Catastrophic/Long-term workforce/community harm

Catastrophic long term environmental harm

Sudden/prolonged loss of significant proportion of key leadership

Loss of assets, adverse impact on annual revenues, costs or surplus of lower of either: o > $5 million, or o 15 % deviation from

corporate budget o 30% deviation from

unit/programme budget

Failure/breach of multiple fundamental controls that places the organisation in a position where it cannot operate with due care or within acceptable organisational parameters

Significant erosion or effect on customer base

Death of adult or child

Majority of critical projects/programmes cannot be achieved

Ongoing loss of critical infrastructure and systems

Sustained non-compliance to legislation that has funding impact and/or “duty of care” impact

Sustained negative publicity or damage to reputation from a national perspective, industry perspective or from the community welfare perspective

Significant long term damage to public confidence in the government policy platform, leading to sustained compromise in the achievement of DECD strategic objectives

Major Major impact on DECD'

ability to achieve its strategic objectives in relation to learning and care of students and children

Major impact on DECD' ability to achieve its corporate, governance and accountability strategic objectives

Impact cannot be managed within DECD' existing framework

Long- term loss of critical infrastructure

Significant long-term workforce/community harm

Significant long-term

Loss of assets, adverse impact on annual revenues, costs or surplus of lower of either:

o o $1 $5 million, or

o o 5% 15% deviation from corporate budget, or

o 15% 30% deviation from unit/programme budget

External audit qualification on the report and accounts and discussion in parliament

Failure/breach of a fundamental control

Major adverse effect on customer base

Effectiveness and efficiency of organisation significantly reduced

Multiple serious injuries and/or major OHS&W liability incident/issue

Major project over-run or failure of project/programme to meet key requirements

Major IT and IT security related incidents

Major disruption in business

Serious failure to comply with legal or regulatory requirements that may result in fines and/or curbing of business/suspension/public admonishment and/or parliamentary enquiry

Failure to comply with legal or regulatory requirements in some instances that may result in warning letter/admonishment to senior management

Regulatory non-compliance which place individuals at risk of harm

Potential for significant restrictions on business activities

Significant breach of code of ethics/conduct or accepted

Negative publicity or damage to reputation from a national perspective, industry perspective or community welfare perspective.

Damages public confidence in the government policy platform




environmental harm

Loss of key leadership or CE

industry practices

Moderate Minor impact on critical

DECD objectives in relation to learning and care of students and children

Minor impact on critical DECD corporate, governance and accountability strategic objectives

Significant adjustment to resource allocation and service required to manage impact

Loss of support infrastructure

Significant short term workforce/community harm

Significant short-term environmental harm

Loss of assets, adverse impact on annual revenues, costs or surplus of lower of either:

o $500,000 $1million, or

o 2% 5% deviation from corporate budget

o 5% 15% deviation from unit/programme budget

External audit management letter contains significant issues or employees

Breach of a major control but

compensating controls are in

operation

Moderate adverse effect on customer base

Effectiveness and efficiency of some major organisational elements reduced

Serious injury and/or illness

Moderate delays in project implementation, moderate cost and time over-runs

Moderate disruption in business

Moderate regulatory breaches / non-compliance resulting in comments in relevant inspections/reports and/or ministerial enquiries.

Breach of code of ethics/conduct or accepted industry practices

Negative publicity or damage to reputation to a specific audience which may not have significant long-term or community effects

Minor Negligible impact on

critical DECD objectives

Additional internal management efforts required to manage impact

Interruption to support infrastructure

Minor transient workforce/community harm

• Minor transient environmental harm

Loss of assets, adverse impact on annual revenues or costs of lower of either: o < $ 500,000 or o < 2% deviation from

corporate budget, or o < 5% deviation on

unit/programme budget

External audit raises some isolated findings

Failure of an enhancement control with core controls in operation

Minor effect on customer base

Effectiveness and efficiency of elements of the organisation is reduced

First aid or minor lost time injury and/or minor OH &S liability incident/issue

Minor delays and over-runs in project and programme implementation

Minor disruption of business

Minor impact to code of ethics/conduct or accepted industry practices

Minor negative publicity or damage to reputation to an insignificant audience

Insignificant Negligible impact on

critical DECD objectives

Impact can be managed through routine activities

Insignificant loss of assets or insignificant adverse impact on annual revenues or costs

Negligible impact on customer base

Negligible impact on effectiveness of the organisation

Incident with or without minor injury

Little or no impact to code of ethics/conduct or accepted industry practices

Minor unsubstantiated negative publicity or damage to reputation to an insignificant audience




APPENDIX 2 – TABLE 2: DECD RISK RATING MATRIX

This table may be used as a guide to analyse and assess risk ratings based on consequences

(Appendix 3) and likelihood in order to prioritise risk for risk management action plan development

From the risk rating you can then choose a course of further action for the risk. Below is a general guide to the action that might be taken.

Risk Rating Action required: Extreme Risk: Immediate action required High Risk: Senior Management attention needed. Moderate Risk: Management responsibility must be specified Low Risk: Manage by routine procedures

Likelihood

Rare Unlikely Possible Likely Almost Certain

Control failures or repetitive risk events in business as usual

Possibility of occurrence less than 5%

Possibility of occurrence

between 5% - 25%


between 25% - 50%


between 50%-75%

Possibility of occurrence more

than 75%

Discrete risk events, e.g.- earthquake, loss of key personnel, failure to meet strategic objectives, etc.

May occur less than once in 15 years

May occur at least once in 5-15 years

May occur at least once in 2-5 years

May occur at least once in a year

May occur multiple times in a year

Co

nseq

uen

ce

Catastrophic/ Critical

High High High Extreme Extreme

Major Moderate Moderate High High Extreme

Moderate Low Moderate Moderate High High

Minor Low Low Moderate Moderate High

Insignificant Low Low Low Moderate Moderate




APPENDIX 3 – RISK ASSESSMENT TABLE

No Risk

Description (including

cause of risk)

Impact Description

(impact/ effect if the risk eventuates)

Existing Controls (Actual &

Factual – a control is in place, not a

planned action)

Control Owner

Existing Control

Assessment

Current Level of

Risk (Consequence x Likelihood)

Risk Treatment

Action Plan (Approved

strategies to be put in place)

Treatment Owner and Treatment

Due Date (for action plan)

Remaining Level of

Risk (Consequence x Likelihood)

Risk monitoring and reporting (e.g. Are the existing controls effective or have any failed; are treatment plans fully implemented &/or tracking to plan; and are additional measures required to manage the risk)

1 Moderate (C)

Possible (L) MODERATE

Minor (C) Unlikely (L)

LOW

e.g. date reviewed, controls effective, treatments delayed due to competing objectives or treatments are 90% complete.

Notes: - To assess the level of risk refer Appendix 2 (Table 1 and 2). The Current Level of Risk should take into consideration the existing controls and the effectiveness of those controls. - The Remaining (Residual) Level of Risk should be an assessment based on the likely remaining level of risk once all risk treatments are implemented.

Risks Assessment completed by:………………………………… Date:……………….. Updated By: Updated On:




APPENDIX 4 - RISK TREATMENT OPTIONS

Action Application Example Treatment

Accept the Risk Appropriate where the impact of the risk is minimal or insignificant and outweighs the measures, financial or otherwise, required to control or eliminate the risk.

Manage the risk using existing procedures.

Avoid the Risk This involves deciding not to proceed or continue with the activity likely to generate the risk (if this is practical). It should be noted that risk avoidance might well increase the significance of other risks.

Cease the activity affected by the risk.

Reduce the Likelihood of Occurrence This involves modifying the environment to minimise the identified risk(s). When potential risk situations are identified, alternative courses of action should be evaluated to determine if the undesirable outcome could be avoided at a reasonable cost. As a general guideline, the preventative actions should cost less than expected value of exposure of exposure and/or less than the cost of the contingency plan.

Review contract terms and conditions, upgrade supervisory requirements, and conduct additional project analysis.

Reduce the Consequence This involves implementing a contingency plan (or similar actions) where preventative action is either unavailable, the cost of prevention is prohibitive or the preventative action fails.

Contingency plan, Business Continuity Plan, alternative supplier arrangements, etc.

Share the Risk Sharing responsibility for the risk with another party, who ultimately bears some of the consequences if the risk occurs. Depending on the risk level, it is recommended that careful qualification of the third party be undertaken and contracted in advance.

Insurance policies or contractual agreements with third parties.




APPENDIX 5 – EXAMPLE OF DETAILED RISK MONITORING TABLE

Compiled by:………………………………………….Date:…………………………….

What are the key objectives/features of the contracting project?

What are the things you need to monitor to ensure that the objectives/features are achieved?

Planned date Responsibility for action

e.g. monitor existing risk controls and/or the progress of implementation of risk treatments.

A workbook can be developed to assist in the monitoring process. The workbook should contain all relevant information relating to the contract including:

Project objectives and critical success factors;

Principal’s and Contractor’s obligations;

Risk Analysis Matrix;

Risk Register Table;

Risk Assessment Table;

Risk Treatment Table; and

Risk Monitoring Table.


managingriskinprocurement.pdf

Documents

risk evaluation

risk identification

risk analysis

risk treatment

risk management process

mr29612004 managing

procurement page

procurement guidelines