Documente Academic
Documente Profesional
Documente Cultură
printed
Guideline ID no MR2961/2004
Managed by:
Responsible position:
Version:
Procurement Unit
4.2
2961/2004
November 2013
Current
Security classification:
8226 1347
November 2014
Not Classified
Contact person:
Ty Potticary
Contact position:
Page 1 of 14
File number:
Status:
November 2013
CONTENTS
1.
2.
3.
4.
5.
6.
TITLE ................................................................................................................................................ 3
PURPOSE.......................................................................................................................................... 3
SCOPE............................................................................................................................................... 3
OBJECTIVES.................................................................................................................................... 3
RISK MANAGEMENT .................................................................................................................... 3
THE RISK MANAGEMENT PROCESS ......................................................................................... 4
6.1 Communication throughout the Process ...................................................................................... 4
6.2 Establishing the Context (Internal and External) ......................................................................... 4
6.3 Risk Identification........................................................................................................................ 4
6.4 Risk Analysis ............................................................................................................................... 5
6.5 Risk Evaluation ............................................................................................................................ 5
6.6 Risk Treatment ............................................................................................................................. 5
6.7 Risk Management ........................................................................................................................ 6
7.
ROLES AND RESPONSIBILITIES ................................................................................................. 7
8.
MONITORING, EVALUATION AND REVIEW ........................................................................... 7
9.
ASSOCIATED DOCUMENTS ........................................................................................................ 7
APPENDIX 1 IDENTIFYING RISK EXAMPLES ............................................................................... 8
APPENDIX 2 TABLE 1 DECD RISK ASSESSMENT CRITERIA MATRIX ..................................... 9
APPENDIX 2 TABLE 2: DECD RISK RATING MATRIX ............................................................... 11
APPENDIX 3 RISK ASSESSMENT TABLE ...................................................................................... 12
APPENDIX 4 RISK TREATMENT OPTIONS ................................................................................... 13
APPENDIX 5 EXAMPLE OF DETAILED RISK MONITORING TABLE ....................................... 14
REVISION RECORD
Date
Version
Revision description
Nov 2013
4.2
Page 2 of 14
November 2013
1. TITLE
Managing Risk in Procurement.
2. PURPOSE
The DECD Managing Risk in Procurement Guidelines have been developed to assist in
the identification and minimisation of risks involved in the acquisition of goods and
services.
3. SCOPE
These guidelines apply to all Department for Education and Child Development (DECD)
staff, school governing councils/school councils, pre-school management committees
and DECD ministerial committees.
4. OBJECTIVES
The guidelines are to assist in developing an understanding of risks inherent to
procurement, and the components and processes of risk management in procurement.
5. RISK MANAGEMENT
The South Australian Governments Risk Management Policy Statement (2009) places
responsibility on agency Chief Executives for the effective and timely implementation of
risk management standards and practices, in accordance with the Australian/New
Zealand Standard AS/NZS ISO 31000:2009.
The International Risk Management Standard AS/NZS/ISO 31000:2009 defines risk as
the effect of uncertainty on objectives.
A risk is a future condition or circumstance which could impact on objectives if it occurs,
whereas an issue is a current event or condition which should be dealt with. Risk is
measured in terms of a combination of the consequence/impact of the event and their
likelihood and may have a positive or negative impact.
Risk management is the systematic, positive identification of threats and the
identification of opportunities for the best use of resources. It also involves the
development of appropriate strategies to manage risk and enable an organisation to
take appropriate action towards the management of resources.
DECD has established a department-wide risk management policy/framework which is
based on the South Australian Government Policy. For further information on this
overall risk management framework, please refer to the DECD Risk Management
Policy.
The DECD Managing Risk in Procurement Guidelines specifically target risk
management relating to procurement activities within DECD.
Page 3 of 14
November 2013
6.2
6.3
Risk Identification
All procurement projects require the identification of potential risks associated
with the procurement. There are a number of useful tools and techniques that
can be used, including:
checklists
brainstorming
systems analysis
drawing on outside experience
SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis
Examples of common risk categories in a procurement context have been
provided in the State Procurement Boards Risk Management Guideline, and are
included in Appendix 1 for ease of reference.
Page 4 of 14
November 2013
6.4
Risk Analysis
Risk analysis is a process of determining why, how and where a possible risk
might occur. It involves identifying existing controls (if any), including an
assessment of the effectiveness of those controls.
In determining the level of risk associated with procurement transactions, two
key elements require consideration:
Likelihood: How likely is it that the potential risk will occur?
Consequence: What would happen if the potential risk eventuates?
6.5
Risk Evaluation
Once the likelihood and consequence of the identified risks have been
analysed, it is necessary to evaluate and prioritise the risks so that the most
significant risks are treated first.
Within DECD, all Procurements $220,000 and over (GST Inclusive) require the
completion of a Full Acquisition Plan, which includes a risk assessment.
Worksites must demonstrate how the procurement will manage any current risks
identified. One way of doing this is to rate the specific risks as either extreme,
high, moderate or low depending on the combined ratings of the likelihood and
consequences. The Risk Assessment Criteria Matrix and Risk Rating Matrix
shown in Appendix 2 provide guidance on how risks can be prioritised in this
way.
Risk assessment information can then be recorded in the departments Standard
Risk Assessment Risk Identification and Assessment Table (Appendix 3).
For lower value procurement under $220,000 (GST Inclusive) the same principle
applies, but may not require the same level of input. For example, the Simplified
Acquisition Plan used by Central and Regional Offices will only require
identifying risk treatment strategies for identified risks, and the risk rating matrix
(Appendix 2) will not be necessary.
Schools and Preschools undertaking procurement below the $220,000 threshold
may also wish to conduct a more simplified risk assessment where the
procurement is of a routine or simple nature.
6.6
Risk Treatment
Depending on the level of risk identified, the following risk treatment options may
be considered:
Accept the risk (where there is no feasible treatment option it may be
appropriate or where the impact of the risk is minimal);
Avoid the risk;
Reduce the likelihood of occurrence;
Reduce the consequences (e.g. contingency plan should the risk occur);
Share the risk (e.g. insurance).
Appendix 4 provides details on applying the actions and examples.
Page 5 of 14
November 2013
6.7
Risk Management
An important step in managing procurement risk is to ensure that the situation is
monitored and corrective action is taken where appropriate.
One method of risk monitoring could be via a risk management plan - an action
plan that outlines how the identified risk will be managed. A risk management
plan can take any form as long as it describes what is going to be done, who is
going to do it and when. Risk management plans can be recorded in the
Departments approved Risk Assessment Table.
The level of detail in risk management should be commensurate with the level of
risk of the project. If the risk rating process produces a high rating, more detailed
monitoring and reviewing needs to be carried out. If the rating is low, a less
detailed review is required.
An effective risk management plan may include the following items:
All DECD worksites should monitor risks and the effectiveness of treatments on
a regular basis. The nature of risk may change throughout the course of a
procurement process and it is likely that the risk management process may need
to be repeated and appropriate action taken as required. In all cases, there is a
need to record risks along with the applicable treatment.
Details of when and how the risk management plan will be reviewed, and who
will do it can be recorded in the Risk Monitoring Table (refer to Appendix 5).
For further information or assistance on the Risk Management process relating
to procurement processes, please contact the Procurement Unit on (08) 8226
1610.
Page 6 of 14
November 2013
7.
Party / Parties
Chief Executive
Managers
Staff
8.
9.
ASSOCIATED DOCUMENTS
DECD Risk Management Policy
DECD Risk Management Framework
DECD Glossary of Risk Management Terms
State Procurement Board Risk Management Guideline
Page 7 of 14
November 2013
APPENDIX 1 IDENTIFYING RISK EXAMPLES (The following is not an exhaustive list and
different risks may be identified based on the nature of the procurement)
Risk Category
Planning and Preparation
Product/Service
Procurement Process
Management
Stakeholders
Contract
Examples
Page 8 of 14
November 2013
Financial
Operational
Reputation
Consequence
Critical
Major
Significant impact on
DECDs ability to achieve its
strategic objectives in
relation to learning and care
of students and children
Significant impact on DECD
ability to achieve its
corporate, governance and
accountability strategic
objectives
Ongoing loss of critical
infrastructure
Catastrophic/Long-term
workforce/community harm
Catastrophic long term
environmental harm
Sudden/prolonged loss of
significant proportion of key
leadership
Major impact on DECD'
ability to achieve its strategic
objectives in relation to
learning and care of students
and children
Major impact on DECD'
ability to achieve its
corporate, governance and
accountability strategic
objectives
Impact cannot be managed
within DECD' existing
framework
Long- term loss of critical
infrastructure
Significant long-term
workforce/community harm
Significant long-term
Failure/breach
of
multiple
fundamental
controls
that
places the organisation in a
position where it cannot
operate with due care or within
acceptable
organisational
parameters
Significant erosion or effect on
customer base
Death of adult or child
Majority
of
critical
projects/programmes cannot be
achieved
Ongoing
loss
of
critical
infrastructure and systems
Failure/breach of a
fundamental control
Major adverse effect on
customer base
Effectiveness and efficiency of
organisation significantly
reduced
Multiple serious injuries and/or
major OHS&W liability
incident/issue
Major project over-run or failure
of project/programme to meet
key requirements
Major IT and IT security related
incidents
Major disruption in business
Page 9 of 14
Sustained non-compliance to
legislation that has funding
impact and/or duty of care
impact
November 2013
Moderate
Minor
Insignificant
environmental harm
Loss of key leadership or CE
Significant adjustment to
resource allocation and
service required to
manage impact
Loss of support
infrastructure
Significant short-term
environmental harm
Negligible impact on
critical DECD objectives
Additional internal
management efforts
required to manage
impact
Interruption to support
infrastructure
Minor transient
workforce/community
harm
Minor transient
environmental harm
Negligible impact on
critical DECD objectives
Impact can be managed
through routine activities
industry practices
Failure of an enhancement
control with core controls in
operation
Minor effect on customer base
Effectiveness and efficiency of
elements of the organisation is
reduced
First aid or minor lost time
injury and/or minor OH &S
liability incident/issue
Minor delays and over-runs in
project and programme
implementation
Minor disruption of business
Negligible impact on customer
base
Negligible impact on
effectiveness of the
organisation
Incident with or without minor
injury
External audit
management letter
contains significant issues
or employees
Page 10 of 14
November 2013
Likelihood
Rare
Unlikely
Possible
Likely
Almost
Certain
Possibility of
occurrence
between 5% - 25%
Possibility of
occurrence
between 25% 50%
Possibility of
occurrence
between 50%-75%
Possibility of
occurrence more
than 75%
Discrete risk events, e.g.- earthquake, loss of key personnel, failure to meet strategic objectives, etc.
May occur at least
once in 5-15 years
High
High
High
Extreme
Extreme
Moderate
Moderate
High
High
Extreme
Moderate
Low
Moderate
Moderate
High
High
Minor
Low
Low
Moderate
Moderate
High
Insignificant
Low
Low
Low
Moderate
Moderate
Catastrophic/
Critical
Consequence
Major
(Appendix 3) and likelihood in order to prioritise risk for risk management action plan development
From the risk rating you can then choose a course of further action for the risk. Below is a general
guide to the action that might be taken.
Risk Rating
Extreme Risk:
High Risk:
Moderate Risk:
Low Risk:
Action required:
Immediate action required
Senior Management attention needed.
Management responsibility must be specified
Manage by routine procedures
Page 11 of 14
November 2013
Risk
Description
Impact
Description
Existing
Controls
(including
cause of risk)
(Actual &
Factual a
control is in
place, not a
planned action)
Control
Owner
Existing
Control
Assessment
Current
Level of
Risk
Risk
Treatment
Action Plan
Treatment Owner
and Treatment
Due Date
Remaining
Level of
Risk
(Consequence
x Likelihood)
(Approved
strategies to be
put in place)
(Consequence
x Likelihood)
Moderate
(C)
Possible (L)
MODERATE
Minor (C)
Unlikely (L)
LOW
Notes:
- To assess the level of risk refer Appendix 2 (Table 1 and 2). The Current Level of Risk should take into consideration the existing controls and the effectiveness of those controls.
- The Remaining (Residual) Level of Risk should be an assessment based on the likely remaining level of risk once all risk treatments are implemented.
Date:..
Updated On:
Page 12 of 14
November 2013
Application
Appropriate where the impact of the risk is
minimal or insignificant and outweighs the
measures, financial or otherwise, required to
control or eliminate the risk.
This involves deciding not to proceed or
continue with the activity likely to generate the
risk (if this is practical). It should be noted that
risk avoidance might well increase the
significance of other risks.
This involves modifying the environment to
minimise the identified risk(s). When potential
risk situations are identified, alternative
courses of action should be evaluated to
determine if the undesirable outcome could be
avoided at a reasonable cost. As a general
guideline, the preventative actions should cost
less than expected value of exposure of
exposure and/or less than the cost of the
contingency plan.
This involves implementing a contingency plan
(or similar actions) where preventative action is
either unavailable, the cost of prevention is
prohibitive or the preventative action fails.
Sharing responsibility for the risk with another
party, who ultimately bears some of the
consequences if the risk occurs. Depending
on the risk level, it is recommended that careful
qualification of the third party be undertaken
and contracted in advance.
Page 13 of 14
Example Treatment
Manage the risk using existing procedures.
November 2013
Responsibility for
action
A workbook can be developed to assist in the monitoring process. The workbook should contain all
relevant information relating to the contract including:
Project objectives and critical success factors;
Principals and Contractors obligations;
Risk Analysis Matrix;
Risk Register Table;
Risk Assessment Table;
Risk Treatment Table; and
Risk Monitoring Table.
Page 14 of 14
November 2013