managingriskinprocurement.pdf
TRANSCRIPT
Managing Risk in Procurement Page 1 of 14 November 2013
© Department for Education and Child Development 2013
Guideline ID no MR2961/2004
MANAGING RISK IN PROCUREMENT
GUIDELINES
This guideline is applicable to: All DECD Staff; All School Governing Council/School Council Members; Pre-School Management Committees; and DECD Ministerial Committees.
Managed by: Procurement Unit
Responsible position: Assistant Director, Procurement and Contracting
Version: 4.2
Contact person: Ty Potticary
Approved by: Chair, Procurement Governance Committee
File number: 2961/2004
Contact position: Senior Project Officer, Procurement/Fleet
Date approved: November 2013
Status: Current
Contact number: 8226 1347
Next review date: November 2014
Security classification: Not Classified
Document uncontrolled when printed
Managing Risk in Procurement Page 2 of 14 November 2013
© Department for Education and Child Development 2013
CONTENTS
1. TITLE ................................................................................................................................................ 3 2. PURPOSE.......................................................................................................................................... 3 3. SCOPE ............................................................................................................................................... 3 4. OBJECTIVES.................................................................................................................................... 3 5. RISK MANAGEMENT .................................................................................................................... 3
6. THE RISK MANAGEMENT PROCESS ......................................................................................... 4 6.1 Communication throughout the Process ...................................................................................... 4 6.2 Establishing the Context (Internal and External) ......................................................................... 4 6.3 Risk Identification........................................................................................................................ 4 6.4 Risk Analysis ............................................................................................................................... 5
6.5 Risk Evaluation ............................................................................................................................ 5
6.6 Risk Treatment ............................................................................................................................. 5 6.7 Risk Management ........................................................................................................................ 6
7. ROLES AND RESPONSIBILITIES ................................................................................................. 7 8. MONITORING, EVALUATION AND REVIEW ........................................................................... 7 9. ASSOCIATED DOCUMENTS ........................................................................................................ 7 APPENDIX 1 – IDENTIFYING RISK EXAMPLES ............................................................................... 8 APPENDIX 2 – TABLE 1 DECD RISK ASSESSMENT CRITERIA MATRIX ..................................... 9
APPENDIX 2 – TABLE 2: DECD RISK RATING MATRIX ............................................................... 11
APPENDIX 3 – RISK ASSESSMENT TABLE ...................................................................................... 12 APPENDIX 4 – RISK TREATMENT OPTIONS ................................................................................... 13 APPENDIX 5 – EXAMPLE OF DETAILED RISK MONITORING TABLE ....................................... 14
REVISION RECORD
Date Version Revision description
Nov 2013 4.2 Aligned common procurement risk categories (Appendix 1) to State Procurement Board information. Updated department name (DECS to DECD)
Managing Risk in Procurement Page 3 of 14 November 2013
© Department for Education and Child Development 2013
1. TITLE
Managing Risk in Procurement.
2. PURPOSE
The DECD Managing Risk in Procurement Guidelines have been developed to assist in the identification and minimisation of risks involved in the acquisition of goods and services.
3. SCOPE
These guidelines apply to all Department for Education and Child Development (DECD) staff, school governing councils/school councils, pre-school management committees and DECD ministerial committees.
4. OBJECTIVES
The guidelines are to assist in developing an understanding of risks inherent to procurement, and the components and processes of risk management in procurement.
5. RISK MANAGEMENT
The South Australian Government’s Risk Management Policy Statement (2009) places responsibility on agency Chief Executives for the effective and timely implementation of risk management standards and practices, in accordance with the Australian/New Zealand Standard AS/NZS ISO 31000:2009. The International Risk Management Standard AS/NZS/ISO 31000:2009 defines risk as the ‘effect of uncertainty on objectives’. A risk is a future condition or circumstance which could impact on objectives if it occurs, whereas an issue is a current event or condition which should be dealt with. Risk is measured in terms of a combination of the consequence/impact of the event and their likelihood and may have a positive or negative impact. Risk management is the systematic, positive identification of threats and the identification of opportunities for the best use of resources. It also involves the development of appropriate strategies to manage risk and enable an organisation to take appropriate action towards the management of resources. DECD has established a department-wide risk management policy/framework which is based on the South Australian Government Policy. For further information on this overall risk management framework, please refer to the DECD Risk Management Policy. The DECD Managing Risk in Procurement Guidelines specifically target risk management relating to procurement activities within DECD.
Managing Risk in Procurement Page 4 of 14 November 2013
© Department for Education and Child Development 2013
6. THE RISK MANAGEMENT PROCESS
The level of detail and effort required to manage risk in procurement will vary depending on the nature and value of the procurement.
As a guide, the following key steps in the risk management process are provided for consideration when undertaking procurement:
6.1 Communication throughout the Process
Undertake communication and consultation with the relevant internal and external stakeholders. This ensures that all stakeholders share the same understanding of risks within each procurement project and how they are to be handled.
6.2 Establishing the Context (Internal and External)
To establish the context, we must understand the environment in which the procurement is being undertaken, in line with the organisation, stakeholders, strategy and the associated importance of risk management for that transaction.
To establish the risk management context for the procurement consider the following:
the organisation’s cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment;
the importance of the procurement to the business and its objectives;
the relationships with, and perceptions of and values of internal and external stakeholders;
capabilities in terms of resources such as people, processes, capital, systems and technology;
the organisation’s approach to risk in terms of levels of acceptable risk;
defining responsibilities for risk management in the procurement process; and
previous experience or lessons learned with similar contracts.
6.3 Risk Identification
All procurement projects require the identification of potential risks associated with the procurement. There are a number of useful tools and techniques that can be used, including:
checklists
brainstorming
systems analysis
drawing on outside experience
SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis Examples of common risk categories in a procurement context have been provided in the State Procurement Board’s Risk Management Guideline, and are included in Appendix 1 for ease of reference.
Managing Risk in Procurement Page 5 of 14 November 2013
© Department for Education and Child Development 2013
6.4 Risk Analysis
Risk analysis is a process of determining why, how and where a possible risk might occur. It involves identifying existing controls (if any), including an assessment of the effectiveness of those controls. In determining the level of risk associated with procurement transactions, two key elements require consideration:
Likelihood: How likely is it that the potential risk will occur?
Consequence: What would happen if the potential risk eventuates?
6.5 Risk Evaluation
Once the likelihood and consequence of the identified risks have been analysed, it is necessary to evaluate and prioritise the risks so that the most significant risks are treated first.
Within DECD, all Procurements $220,000 and over (GST Inclusive) require the completion of a ‘Full Acquisition Plan’, which includes a risk assessment. Worksites must demonstrate how the procurement will manage any current risks identified. One way of doing this is to rate the specific risks as either extreme, high, moderate or low depending on the combined ratings of the likelihood and consequences. The Risk Assessment Criteria Matrix and Risk Rating Matrix shown in Appendix 2 provide guidance on how risks can be prioritised in this way.
Risk assessment information can then be recorded in the department’s Standard Risk Assessment Risk Identification and Assessment Table (Appendix 3).
For lower value procurement under $220,000 (GST Inclusive) the same principle applies, but may not require the same level of input. For example, the ‘Simplified Acquisition Plan’ used by Central and Regional Offices will only require identifying risk treatment strategies for identified risks, and the risk rating matrix (Appendix 2) will not be necessary.
Schools and Preschools undertaking procurement below the $220,000 threshold may also wish to conduct a more simplified risk assessment where the procurement is of a routine or simple nature.
6.6 Risk Treatment
Depending on the level of risk identified, the following risk treatment options may be considered:
Accept the risk (where there is no feasible treatment option it may be appropriate or where the impact of the risk is minimal);
Avoid the risk;
Reduce the likelihood of occurrence;
Reduce the consequences (e.g. contingency plan should the risk occur);
Share the risk (e.g. insurance).
Appendix 4 provides details on applying the actions and examples.
Managing Risk in Procurement Page 6 of 14 November 2013
© Department for Education and Child Development 2013
6.7 Risk Management
An important step in managing procurement risk is to ensure that the situation is monitored and corrective action is taken where appropriate.
One method of risk monitoring could be via a ‘risk management plan’ - an action plan that outlines how the identified risk will be managed. A risk management plan can take any form as long as it describes what is going to be done, who is going to do it and when. Risk management plans can be recorded in the Department’s approved Risk Assessment Table.
The level of detail in risk management should be commensurate with the level of risk of the project. If the risk rating process produces a high rating, more detailed monitoring and reviewing needs to be carried out. If the rating is low, a less detailed review is required.
An effective risk management plan may include the following items:
A statement of the project or contract objectives and critical success factors;
An assessment of the adequacy of the objectives or targets;
A structure of how the risks will be identified and analysed;
An assessment of the product or service features;
A list of risks under each category showing the likelihood and consequence ratings of each risk;
An action plan showing the priority of each risk and how the risks will be managed; and
A statement about how the risk will be reviewed during the project.
All DECD worksites should monitor risks and the effectiveness of treatments on a regular basis. The nature of risk may change throughout the course of a procurement process and it is likely that the risk management process may need to be repeated and appropriate action taken as required. In all cases, there is a need to record risks along with the applicable treatment.
Details of when and how the risk management plan will be reviewed, and who will do it can be recorded in the Risk Monitoring Table (refer to Appendix 5).
For further information or assistance on the Risk Management process relating to procurement processes, please contact the Procurement Unit on (08) 8226 1610.
Managing Risk in Procurement Page 7 of 14 November 2013
© Department for Education and Child Development 2013
7. ROLES AND RESPONSIBILITIES
Party / Parties Roles and responsibilities
Chief Executive The Chief Executive is accountable for ensuring that risk management frameworks that relate to the organisation’s business and organisational context are developed and implemented.
Managers Managers are responsible for ensuring staff undertaking any procurement processes within their role are sufficiently informed about relevant procurement procedures and guidelines.
Managers include Executive Directors, Directors, Assistant Directors, Principals and Supervisors.
Staff Employees required to undertake purchases on behalf of their worksite should familiarise themselves and maintain currency with relevant legislation and government / department procurement requirements.
8. MONITORING, EVALUATION AND REVIEW
The Procurement Unit will review this guideline on a yearly basis, or upon changes to government requirements if this occurs sooner.
9. ASSOCIATED DOCUMENTS
DECD Risk Management Policy
DECD Risk Management Framework
DECD Glossary of Risk Management Terms
State Procurement Board Risk Management Guideline
Managing Risk in Procurement Page 8 of 14 November 2013
© Department for Education and Child Development 2013
APPENDIX 1 – IDENTIFYING RISK EXAMPLES (The following is not an exhaustive list and different risks may be identified based on the nature of the procurement) Risk Category Examples
Planning and Preparation Unrealistic time/cost expectations
Conflict with existing contracts/supply arrangements
Limited capacity to access necessary information
Legal complexities
Delays in obtaining approvals
Incorrect method of approach selected
Product/Service Limited availability
Complex to manufacture/source
Integration of the product into existing environment
Delays in delivery, testing and installing
Unsafe use of hazardous materials or practices
Final product/service does not meet expectations
Procurement Process Lack of probity or unethical behaviour
Changes to scope and/or specifications
Proper processes are not followed
Risks are not adequately managed
Tender process does not achieve value for money
Government policies not followed
Industry and Suppliers Lack of interest in response to tender
Limited number of potential suppliers
Industrial disputes
Lack of capacity of individual contractors
Complacency in long term supplier relationships
Non performance of contractors
Management Inappropriately qualified or resourced project team
Lack of communication amongst team/facilitators
Responsibilities of project staff not clearly defined
Expectations and objectives unclear
Contract is poorly managed
Loss of corporate memory relating to contract
Unethical behaviour/conflicts of interest
Stakeholders Public sensitivity/high level of media scrutiny
Conflict among stakeholders
Change in government policy/political demands
Ineffective communication and consultation
Contract Offer lapse before execution
Errors/omissions in the contract
Default by the supplier/termination of the contract
Payments made in advance of goods/service received
Acceptance of suppliers’ terms and conditions
Bank guarantees
Procurement objectives not realised
Unplanned changes to scope and/or technology
Lack of proper records
Mismanagement of sub-contractors
Unjustified contract extensions/amendments
Fraud
Managing Risk in Procurement Page 9 of 14 November 2013
© Department for Education and Child Development 2013
APPENDIX 2 – TABLE 1 DECD RISK ASSESSMENT CRITERIA MATRIX
This table is a generic table intended as guidance on apply consequence ratings and should be adapted to and interpreted for specific procurement risk assessment processes.
Risk Categories
Strategic Financial Operational
(Service Delivery, People, Technology)
Legal/ Regulatory/ Compliance Reputation
Co
ns
eq
ue
nce
Catastrophic/
Critical
Significant impact on DECD’s ability to achieve its strategic objectives in relation to learning and care of students and children
Significant impact on DECD’ ability to achieve its corporate, governance and accountability strategic objectives
Ongoing loss of critical infrastructure
Catastrophic/Long-term workforce/community harm
Catastrophic long term environmental harm
Sudden/prolonged loss of significant proportion of key leadership
Loss of assets, adverse impact on annual revenues, costs or surplus of lower of either: o > $5 million, or o 15 % deviation from
corporate budget o 30% deviation from
unit/programme budget
Failure/breach of multiple fundamental controls that places the organisation in a position where it cannot operate with due care or within acceptable organisational parameters
Significant erosion or effect on customer base
Death of adult or child
Majority of critical projects/programmes cannot be achieved
Ongoing loss of critical infrastructure and systems
Sustained non-compliance to legislation that has funding impact and/or “duty of care” impact
Sustained negative publicity or damage to reputation from a national perspective, industry perspective or from the community welfare perspective
Significant long term damage to public confidence in the government policy platform, leading to sustained compromise in the achievement of DECD strategic objectives
Major Major impact on DECD'
ability to achieve its strategic objectives in relation to learning and care of students and children
Major impact on DECD' ability to achieve its corporate, governance and accountability strategic objectives
Impact cannot be managed within DECD' existing framework
Long- term loss of critical infrastructure
Significant long-term workforce/community harm
Significant long-term
Loss of assets, adverse impact on annual revenues, costs or surplus of lower of either:
o o $1 $5 million, or
o o 5% 15% deviation from corporate budget, or
o 15% 30% deviation from unit/programme budget
External audit qualification on the report and accounts and discussion in parliament
Failure/breach of a fundamental control
Major adverse effect on customer base
Effectiveness and efficiency of organisation significantly reduced
Multiple serious injuries and/or major OHS&W liability incident/issue
Major project over-run or failure of project/programme to meet key requirements
Major IT and IT security related incidents
Major disruption in business
Serious failure to comply with legal or regulatory requirements that may result in fines and/or curbing of business/suspension/public admonishment and/or parliamentary enquiry
Failure to comply with legal or regulatory requirements in some instances that may result in warning letter/admonishment to senior management
Regulatory non-compliance which place individuals at risk of harm
Potential for significant restrictions on business activities
Significant breach of code of ethics/conduct or accepted
Negative publicity or damage to reputation from a national perspective, industry perspective or community welfare perspective.
Damages public confidence in the government policy platform
Managing Risk in Procurement Page 10 of 14 November 2013
© Department for Education and Child Development 2013
environmental harm
Loss of key leadership or CE
industry practices
Moderate Minor impact on critical
DECD objectives in relation to learning and care of students and children
Minor impact on critical DECD corporate, governance and accountability strategic objectives
Significant adjustment to resource allocation and service required to manage impact
Loss of support infrastructure
Significant short term workforce/community harm
Significant short-term environmental harm
Loss of assets, adverse impact on annual revenues, costs or surplus of lower of either:
o $500,000 $1million, or
o 2% 5% deviation from corporate budget
o 5% 15% deviation from unit/programme budget
External audit management letter contains significant issues or employees
Breach of a major control but
compensating controls are in
operation
Moderate adverse effect on customer base
Effectiveness and efficiency of some major organisational elements reduced
Serious injury and/or illness
Moderate delays in project implementation, moderate cost and time over-runs
Moderate disruption in business
Moderate regulatory breaches / non-compliance resulting in comments in relevant inspections/reports and/or ministerial enquiries.
Breach of code of ethics/conduct or accepted industry practices
Negative publicity or damage to reputation to a specific audience which may not have significant long-term or community effects
Minor Negligible impact on
critical DECD objectives
Additional internal management efforts required to manage impact
Interruption to support infrastructure
Minor transient workforce/community harm
• Minor transient environmental harm
Loss of assets, adverse impact on annual revenues or costs of lower of either: o < $ 500,000 or o < 2% deviation from
corporate budget, or o < 5% deviation on
unit/programme budget
External audit raises some isolated findings
Failure of an enhancement control with core controls in operation
Minor effect on customer base
Effectiveness and efficiency of elements of the organisation is reduced
First aid or minor lost time injury and/or minor OH &S liability incident/issue
Minor delays and over-runs in project and programme implementation
Minor disruption of business
Minor impact to code of ethics/conduct or accepted industry practices
Minor negative publicity or damage to reputation to an insignificant audience
Insignificant Negligible impact on
critical DECD objectives
Impact can be managed through routine activities
Insignificant loss of assets or insignificant adverse impact on annual revenues or costs
Negligible impact on customer base
Negligible impact on effectiveness of the organisation
Incident with or without minor injury
Little or no impact to code of ethics/conduct or accepted industry practices
Minor unsubstantiated negative publicity or damage to reputation to an insignificant audience
Managing Risk in Procurement Page 11 of 14 November 2013
© Department for Education and Child Development 2013
APPENDIX 2 – TABLE 2: DECD RISK RATING MATRIX
This table may be used as a guide to analyse and assess risk ratings based on consequences
(Appendix 3) and likelihood in order to prioritise risk for risk management action plan development
From the risk rating you can then choose a course of further action for the risk. Below is a general guide to the action that might be taken.
Risk Rating Action required: Extreme Risk: Immediate action required High Risk: Senior Management attention needed. Moderate Risk: Management responsibility must be specified Low Risk: Manage by routine procedures
Likelihood
Rare Unlikely Possible Likely Almost Certain
Control failures or repetitive risk events in business as usual
Possibility of occurrence less than 5%
Possibility of occurrence
between 5% - 25%
Possibility of occurrence
between 25% - 50%
Possibility of occurrence
between 50%-75%
Possibility of occurrence more
than 75%
Discrete risk events, e.g.- earthquake, loss of key personnel, failure to meet strategic objectives, etc.
May occur less than once in 15 years
May occur at least once in 5-15 years
May occur at least once in 2-5 years
May occur at least once in a year
May occur multiple times in a year
Co
nseq
uen
ce
Catastrophic/ Critical
High High High Extreme Extreme
Major Moderate Moderate High High Extreme
Moderate Low Moderate Moderate High High
Minor Low Low Moderate Moderate High
Insignificant Low Low Low Moderate Moderate
Managing Risk in Procurement Page 12 of 14 November 2013
© Department for Education and Child Development 2013
APPENDIX 3 – RISK ASSESSMENT TABLE
No Risk
Description (including
cause of risk)
Impact Description
(impact/ effect if the risk eventuates)
Existing Controls (Actual &
Factual – a control is in place, not a
planned action)
Control Owner
Existing Control
Assessment
Current Level of
Risk (Consequence x Likelihood)
Risk Treatment
Action Plan (Approved
strategies to be put in place)
Treatment Owner and Treatment
Due Date (for action plan)
Remaining Level of
Risk (Consequence x Likelihood)
Risk monitoring and reporting (e.g. Are the existing controls effective or have any failed; are treatment plans fully implemented &/or tracking to plan; and are additional measures required to manage the risk)
1 Moderate (C)
Possible (L) MODERATE
Minor (C) Unlikely (L)
LOW
e.g. date reviewed, controls effective, treatments delayed due to competing objectives or treatments are 90% complete.
Notes: - To assess the level of risk refer Appendix 2 (Table 1 and 2). The Current Level of Risk should take into consideration the existing controls and the effectiveness of those controls. - The Remaining (Residual) Level of Risk should be an assessment based on the likely remaining level of risk once all risk treatments are implemented.
Risks Assessment completed by:………………………………… Date:……………….. Updated By: Updated On:
Managing Risk in Procurement Page 13 of 14 November 2013
© Department for Education and Child Development 2013
APPENDIX 4 - RISK TREATMENT OPTIONS
Action Application Example Treatment
Accept the Risk Appropriate where the impact of the risk is minimal or insignificant and outweighs the measures, financial or otherwise, required to control or eliminate the risk.
Manage the risk using existing procedures.
Avoid the Risk This involves deciding not to proceed or continue with the activity likely to generate the risk (if this is practical). It should be noted that risk avoidance might well increase the significance of other risks.
Cease the activity affected by the risk.
Reduce the Likelihood of Occurrence This involves modifying the environment to minimise the identified risk(s). When potential risk situations are identified, alternative courses of action should be evaluated to determine if the undesirable outcome could be avoided at a reasonable cost. As a general guideline, the preventative actions should cost less than expected value of exposure of exposure and/or less than the cost of the contingency plan.
Review contract terms and conditions, upgrade supervisory requirements, and conduct additional project analysis.
Reduce the Consequence This involves implementing a contingency plan (or similar actions) where preventative action is either unavailable, the cost of prevention is prohibitive or the preventative action fails.
Contingency plan, Business Continuity Plan, alternative supplier arrangements, etc.
Share the Risk Sharing responsibility for the risk with another party, who ultimately bears some of the consequences if the risk occurs. Depending on the risk level, it is recommended that careful qualification of the third party be undertaken and contracted in advance.
Insurance policies or contractual agreements with third parties.
Managing Risk in Procurement Page 14 of 14 November 2013
© Department for Education and Child Development 2013
APPENDIX 5 – EXAMPLE OF DETAILED RISK MONITORING TABLE
Compiled by:………………………………………….Date:…………………………….
What are the key objectives/features of the contracting project?
What are the things you need to monitor to ensure that the objectives/features are achieved?
Planned date Responsibility for action
e.g. monitor existing risk controls and/or the progress of implementation of risk treatments.
A workbook can be developed to assist in the monitoring process. The workbook should contain all relevant information relating to the contract including:
Project objectives and critical success factors;
Principal’s and Contractor’s obligations;
Risk Analysis Matrix;
Risk Register Table;
Risk Assessment Table;
Risk Treatment Table; and
Risk Monitoring Table.