Document uncontrolled when

printed

Guideline ID no MR2961/2004

MANAGING RISK IN PROCUREMENT

GUIDELINES

This guideline is applicable to: All DECD Staff;

All School Governing Council/School Council Members;
Pre-School Management Committees; and
DECD Ministerial Committees.

Managed by:

Responsible position:

Version:

Procurement Unit

Assistant Director, Procurement and

Contracting
Approved by:

4.2

Chair, Procurement Governance

Committee
Date approved:

2961/2004

Senior Project Officer,

Procurement/Fleet
Contact number:

November 2013

Current

Next review date:

Security classification:

8226 1347

November 2014

Not Classified

Contact person:
Ty Potticary
Contact position:

Managing Risk in Procurement

Department for Education and Child Development 2013

Page 1 of 14

File number:

Status:

November 2013

CONTENTS
1.
2.
3.
4.
5.
6.

TITLE ................................................................................................................................................ 3
PURPOSE.......................................................................................................................................... 3
SCOPE............................................................................................................................................... 3
OBJECTIVES.................................................................................................................................... 3
RISK MANAGEMENT .................................................................................................................... 3
THE RISK MANAGEMENT PROCESS ......................................................................................... 4
6.1 Communication throughout the Process ...................................................................................... 4
6.2 Establishing the Context (Internal and External) ......................................................................... 4
6.3 Risk Identification........................................................................................................................ 4
6.4 Risk Analysis ............................................................................................................................... 5
6.5 Risk Evaluation ............................................................................................................................ 5
6.6 Risk Treatment ............................................................................................................................. 5
6.7 Risk Management ........................................................................................................................ 6
7.
ROLES AND RESPONSIBILITIES ................................................................................................. 7
8.
MONITORING, EVALUATION AND REVIEW ........................................................................... 7
9.
ASSOCIATED DOCUMENTS ........................................................................................................ 7
APPENDIX 1 IDENTIFYING RISK EXAMPLES ............................................................................... 8
APPENDIX 2 TABLE 1 DECD RISK ASSESSMENT CRITERIA MATRIX ..................................... 9
APPENDIX 2 TABLE 2: DECD RISK RATING MATRIX ............................................................... 11
APPENDIX 3 RISK ASSESSMENT TABLE ...................................................................................... 12
APPENDIX 4 RISK TREATMENT OPTIONS ................................................................................... 13
APPENDIX 5 EXAMPLE OF DETAILED RISK MONITORING TABLE ....................................... 14

REVISION RECORD
Date

Version

Revision description

Nov 2013

4.2

Aligned common procurement risk categories (Appendix 1) to State Procurement Board

information.
Updated department name (DECS to DECD)

Managing Risk in Procurement

Department for Education and Child Development 2013

Page 2 of 14

November 2013

1. TITLE
Managing Risk in Procurement.
2. PURPOSE
The DECD Managing Risk in Procurement Guidelines have been developed to assist in
the identification and minimisation of risks involved in the acquisition of goods and
services.
3. SCOPE
These guidelines apply to all Department for Education and Child Development (DECD)
staff, school governing councils/school councils, pre-school management committees
and DECD ministerial committees.

4. OBJECTIVES
The guidelines are to assist in developing an understanding of risks inherent to
procurement, and the components and processes of risk management in procurement.

5. RISK MANAGEMENT
The South Australian Governments Risk Management Policy Statement (2009) places
responsibility on agency Chief Executives for the effective and timely implementation of
risk management standards and practices, in accordance with the Australian/New
Zealand Standard AS/NZS ISO 31000:2009.
The International Risk Management Standard AS/NZS/ISO 31000:2009 defines risk as
the effect of uncertainty on objectives.
A risk is a future condition or circumstance which could impact on objectives if it occurs,
whereas an issue is a current event or condition which should be dealt with. Risk is
measured in terms of a combination of the consequence/impact of the event and their
likelihood and may have a positive or negative impact.
Risk management is the systematic, positive identification of threats and the
identification of opportunities for the best use of resources. It also involves the
development of appropriate strategies to manage risk and enable an organisation to
take appropriate action towards the management of resources.
DECD has established a department-wide risk management policy/framework which is
based on the South Australian Government Policy. For further information on this
overall risk management framework, please refer to the DECD Risk Management
Policy.
The DECD Managing Risk in Procurement Guidelines specifically target risk
management relating to procurement activities within DECD.

Managing Risk in Procurement

Department for Education and Child Development 2013

Page 3 of 14

November 2013

6. THE RISK MANAGEMENT PROCESS

The level of detail and effort required to manage risk in procurement will vary depending
on the nature and value of the procurement.
As a guide, the following key steps in the risk management process are provided for
consideration when undertaking procurement:
6.1

Communication throughout the Process

Undertake communication and consultation with the relevant internal and
external stakeholders. This ensures that all stakeholders share the same
understanding of risks within each procurement project and how they are to be
handled.

6.2

Establishing the Context (Internal and External)

To establish the context, we must understand the environment in which the
procurement is being undertaken, in line with the organisation, stakeholders,
strategy and the associated importance of risk management for that transaction.
To establish the risk management context for the procurement consider the
following:
the organisations cultural, political, legal, regulatory, financial, technological,
economic, natural and competitive environment;
the importance of the procurement to the business and its objectives;
the relationships with, and perceptions of and values of internal and external
stakeholders;
capabilities in terms of resources such as people, processes, capital, systems
and technology;
the organisations approach to risk in terms of levels of acceptable risk;
defining responsibilities for risk management in the procurement process; and
previous experience or lessons learned with similar contracts.

6.3

Risk Identification
All procurement projects require the identification of potential risks associated
with the procurement. There are a number of useful tools and techniques that
can be used, including:
checklists
brainstorming
systems analysis
drawing on outside experience
SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis
Examples of common risk categories in a procurement context have been
provided in the State Procurement Boards Risk Management Guideline, and are
included in Appendix 1 for ease of reference.

Managing Risk in Procurement

Department for Education and Child Development 2013

Page 4 of 14

November 2013

6.4

Risk Analysis
Risk analysis is a process of determining why, how and where a possible risk
might occur. It involves identifying existing controls (if any), including an
assessment of the effectiveness of those controls.
In determining the level of risk associated with procurement transactions, two
key elements require consideration:
Likelihood: How likely is it that the potential risk will occur?
Consequence: What would happen if the potential risk eventuates?

6.5

Risk Evaluation
Once the likelihood and consequence of the identified risks have been
analysed, it is necessary to evaluate and prioritise the risks so that the most
significant risks are treated first.
Within DECD, all Procurements $220,000 and over (GST Inclusive) require the
completion of a Full Acquisition Plan, which includes a risk assessment.
Worksites must demonstrate how the procurement will manage any current risks
identified. One way of doing this is to rate the specific risks as either extreme,
high, moderate or low depending on the combined ratings of the likelihood and
consequences. The Risk Assessment Criteria Matrix and Risk Rating Matrix
shown in Appendix 2 provide guidance on how risks can be prioritised in this
way.
Risk assessment information can then be recorded in the departments Standard
Risk Assessment Risk Identification and Assessment Table (Appendix 3).
For lower value procurement under $220,000 (GST Inclusive) the same principle
applies, but may not require the same level of input. For example, the Simplified
Acquisition Plan used by Central and Regional Offices will only require
identifying risk treatment strategies for identified risks, and the risk rating matrix
(Appendix 2) will not be necessary.
Schools and Preschools undertaking procurement below the $220,000 threshold
may also wish to conduct a more simplified risk assessment where the
procurement is of a routine or simple nature.

6.6

Risk Treatment
Depending on the level of risk identified, the following risk treatment options may
be considered:
Accept the risk (where there is no feasible treatment option it may be
appropriate or where the impact of the risk is minimal);
Avoid the risk;
Reduce the likelihood of occurrence;
Reduce the consequences (e.g. contingency plan should the risk occur);
Share the risk (e.g. insurance).
Appendix 4 provides details on applying the actions and examples.

Managing Risk in Procurement

Department for Education and Child Development 2013

Page 5 of 14

November 2013

6.7

Risk Management
An important step in managing procurement risk is to ensure that the situation is
monitored and corrective action is taken where appropriate.
One method of risk monitoring could be via a risk management plan - an action
plan that outlines how the identified risk will be managed. A risk management
plan can take any form as long as it describes what is going to be done, who is
going to do it and when. Risk management plans can be recorded in the
Departments approved Risk Assessment Table.
The level of detail in risk management should be commensurate with the level of
risk of the project. If the risk rating process produces a high rating, more detailed
monitoring and reviewing needs to be carried out. If the rating is low, a less
detailed review is required.
An effective risk management plan may include the following items:

A statement of the project or contract objectives and critical success factors;

An assessment of the adequacy of the objectives or targets;
A structure of how the risks will be identified and analysed;
An assessment of the product or service features;
A list of risks under each category showing the likelihood and consequence
ratings of each risk;
An action plan showing the priority of each risk and how the risks will be
managed; and
A statement about how the risk will be reviewed during the project.

All DECD worksites should monitor risks and the effectiveness of treatments on
a regular basis. The nature of risk may change throughout the course of a
procurement process and it is likely that the risk management process may need
to be repeated and appropriate action taken as required. In all cases, there is a
need to record risks along with the applicable treatment.
Details of when and how the risk management plan will be reviewed, and who
will do it can be recorded in the Risk Monitoring Table (refer to Appendix 5).
For further information or assistance on the Risk Management process relating
to procurement processes, please contact the Procurement Unit on (08) 8226
1610.

Managing Risk in Procurement

Department for Education and Child Development 2013

Page 6 of 14

November 2013

7.

ROLES AND RESPONSIBILITIES

Party / Parties
Chief Executive

Managers

Roles and responsibilities

The Chief Executive is accountable for
ensuring that risk management frameworks
that relate to the organisations business
and organisational context are developed
and implemented.
Managers are responsible for ensuring staff
undertaking any procurement processes
within their role are sufficiently informed
about relevant procurement procedures and
guidelines.
Managers include Executive Directors,
Directors, Assistant Directors, Principals
and Supervisors.

Staff

Employees required to undertake purchases

on behalf of their worksite should familiarise
themselves and maintain currency with
relevant legislation and government /
department procurement requirements.

8.

MONITORING, EVALUATION AND REVIEW

The Procurement Unit will review this guideline on a yearly basis, or upon changes to
government requirements if this occurs sooner.

9.

ASSOCIATED DOCUMENTS
DECD Risk Management Policy
DECD Risk Management Framework
DECD Glossary of Risk Management Terms
State Procurement Board Risk Management Guideline

Managing Risk in Procurement

Department for Education and Child Development 2013

Page 7 of 14

November 2013

APPENDIX 1 IDENTIFYING RISK EXAMPLES (The following is not an exhaustive list and
different risks may be identified based on the nature of the procurement)
Risk Category
Planning and Preparation

Product/Service

Procurement Process

Industry and Suppliers

Management

Stakeholders

Contract

Managing Risk in Procurement

Department for Education and Child Development 2013

Examples

Unrealistic time/cost expectations

Conflict with existing contracts/supply arrangements
Limited capacity to access necessary information
Legal complexities
Delays in obtaining approvals
Incorrect method of approach selected
Limited availability
Complex to manufacture/source
Integration of the product into existing environment
Delays in delivery, testing and installing
Unsafe use of hazardous materials or practices
Final product/service does not meet expectations
Lack of probity or unethical behaviour
Changes to scope and/or specifications
Proper processes are not followed
Risks are not adequately managed
Tender process does not achieve value for money
Government policies not followed
Lack of interest in response to tender
Limited number of potential suppliers
Industrial disputes
Lack of capacity of individual contractors
Complacency in long term supplier relationships
Non performance of contractors
Inappropriately qualified or resourced project team
Lack of communication amongst team/facilitators
Responsibilities of project staff not clearly defined
Expectations and objectives unclear
Contract is poorly managed
Loss of corporate memory relating to contract
Unethical behaviour/conflicts of interest
Public sensitivity/high level of media scrutiny
Conflict among stakeholders
Change in government policy/political demands
Ineffective communication and consultation
Offer lapse before execution
Errors/omissions in the contract
Default by the supplier/termination of the contract
Payments made in advance of goods/service received
Acceptance of suppliers terms and conditions
Bank guarantees
Procurement objectives not realised
Unplanned changes to scope and/or technology
Lack of proper records
Mismanagement of sub-contractors
Unjustified contract extensions/amendments
Fraud

Page 8 of 14

November 2013

APPENDIX 2 TABLE 1 DECD RISK ASSESSMENT CRITERIA MATRIX

This table is a generic table intended as guidance on apply consequence ratings and should be adapted to and interpreted for specific procurement
risk assessment processes.
Risk Categories
Strategic

Financial

Operational

Legal/ Regulatory/ Compliance

Reputation

(Service Delivery, People,

Technology)
Catastrophic/

Consequence

Critical

Major

Significant impact on
DECDs ability to achieve its
strategic objectives in
relation to learning and care
of students and children
Significant impact on DECD
ability to achieve its
corporate, governance and
accountability strategic
objectives
Ongoing loss of critical
infrastructure
Catastrophic/Long-term
workforce/community harm
Catastrophic long term
environmental harm
Sudden/prolonged loss of
significant proportion of key
leadership
Major impact on DECD'
ability to achieve its strategic
objectives in relation to
learning and care of students
and children
Major impact on DECD'
ability to achieve its
corporate, governance and
accountability strategic
objectives
Impact cannot be managed
within DECD' existing
framework
Long- term loss of critical
infrastructure
Significant long-term
workforce/community harm
Significant long-term

Loss of assets, adverse

impact on annual revenues,
costs or surplus of lower of
either:
o > $5 million, or
o 15 % deviation from
corporate budget
o 30% deviation from
unit/programme budget

Loss of assets, adverse

impact on annual revenues,
costs or surplus of lower of
either:
o o $1 $5 million, or
o o 5% 15% deviation
from corporate budget, or
o 15% 30% deviation
from unit/programme
budget
External audit qualification on
the report and accounts and
discussion in parliament

Managing Risk in Procurement

Department for Education and Child Development 2013

Failure/breach
of
multiple
fundamental
controls
that
places the organisation in a
position where it cannot
operate with due care or within
acceptable
organisational
parameters
Significant erosion or effect on
customer base
Death of adult or child
Majority
of
critical
projects/programmes cannot be
achieved
Ongoing
loss
of
critical
infrastructure and systems

Failure/breach of a
fundamental control
Major adverse effect on
customer base
Effectiveness and efficiency of
organisation significantly
reduced
Multiple serious injuries and/or
major OHS&W liability
incident/issue
Major project over-run or failure
of project/programme to meet
key requirements
Major IT and IT security related
incidents
Major disruption in business

Page 9 of 14

Sustained non-compliance to
legislation that has funding
impact and/or duty of care
impact

Serious failure to comply with

legal or regulatory requirements
that may result in fines and/or
curbing of
business/suspension/public
admonishment and/or
parliamentary enquiry
Failure to comply with legal or
regulatory requirements in some
instances that may result in
warning letter/admonishment to
senior management
Regulatory non-compliance which
place individuals at risk of harm
Potential for significant
restrictions on business activities
Significant breach of code of
ethics/conduct or accepted

November 2013

Sustained negative publicity or

damage to reputation from a
national perspective, industry
perspective or from the
community welfare perspective
Significant long term damage to
public confidence in the
government policy platform,
leading to sustained
compromise in the achievement
of DECD strategic objectives

Negative publicity or damage to

reputation from a national
perspective, industry perspective
or
community
welfare
perspective.
Damages public confidence in
the government policy platform

Moderate

Minor

Insignificant

environmental harm
Loss of key leadership or CE

Minor impact on critical

DECD objectives in
relation to learning and
care of students and
children

Minor impact on critical

DECD corporate,
governance and
accountability strategic
objectives

Significant adjustment to
resource allocation and
service required to
manage impact

Loss of support
infrastructure

Significant short term

workforce/community
harm

Significant short-term
environmental harm

Negligible impact on
critical DECD objectives

Additional internal
management efforts
required to manage
impact

Interruption to support
infrastructure

Minor transient
workforce/community
harm

Minor transient
environmental harm

Negligible impact on
critical DECD objectives
Impact can be managed
through routine activities

industry practices

Loss of assets, adverse

impact on annual
revenues, costs or surplus
of lower of either:
o $500,000
$1million, or
o 2% 5% deviation
from corporate
budget
o 5% 15% deviation
from unit/programme
budget

Breach of a major control but

compensating controls are in
operation
Moderate adverse effect on
customer base
Effectiveness and efficiency of
some major organisational
elements reduced
Serious injury and/or illness
Moderate delays in project
implementation, moderate cost
and time over-runs
Moderate disruption in business

Moderate regulatory breaches /

non-compliance resulting in
comments in relevant
inspections/reports and/or
ministerial enquiries.
Breach of code of ethics/conduct
or accepted industry practices

Failure of an enhancement
control with core controls in
operation
Minor effect on customer base
Effectiveness and efficiency of
elements of the organisation is
reduced
First aid or minor lost time
injury and/or minor OH &S
liability incident/issue
Minor delays and over-runs in
project and programme
implementation
Minor disruption of business
Negligible impact on customer
base
Negligible impact on
effectiveness of the
organisation
Incident with or without minor
injury

Minor impact to code of

ethics/conduct or accepted
industry practices

Minor negative publicity or

damage to reputation to an
insignificant audience

Little or no impact to code of

ethics/conduct or accepted
industry practices

Minor unsubstantiated negative

publicity or damage to reputation
to an insignificant audience

Negative publicity or damage

to reputation to a specific
audience which may not have
significant long-term or
community effects

External audit
management letter
contains significant issues
or employees

Loss of assets, adverse

impact on annual revenues
or costs of lower of either:
o < $ 500,000 or
o < 2% deviation from
corporate budget, or
o < 5% deviation on
unit/programme budget

External audit raises some

isolated findings

Insignificant loss of assets

or insignificant adverse
impact on annual revenues
or costs

Managing Risk in Procurement

Department for Education and Child Development 2013

Page 10 of 14

November 2013

APPENDIX 2 TABLE 2: DECD RISK RATING MATRIX

This table may be used as a guide to analyse and assess risk ratings based on consequences

Likelihood
Rare

Unlikely

Possible

Likely

Almost
Certain

Control failures or repetitive risk events in business as usual

Possibility of occurrence
less than 5%

Possibility of
occurrence
between 5% - 25%

Possibility of
occurrence
between 25% 50%

Possibility of
occurrence
between 50%-75%

Possibility of
occurrence more
than 75%

Discrete risk events, e.g.- earthquake, loss of key personnel, failure to meet strategic objectives, etc.
May occur at least
once in 5-15 years

May occur at least

once in 2-5 years

May occur at least

once in a year

May occur multiple

times in a year

High

High

High

Extreme

Extreme

Moderate

Moderate

High

High

Extreme

Moderate

Low

Moderate

Moderate

High

High

Minor

Low

Low

Moderate

Moderate

High

Insignificant

Low

Low

Low

Moderate

Moderate

May occur less than once

in 15 years

Catastrophic/
Critical

Consequence

Major

(Appendix 3) and likelihood in order to prioritise risk for risk management action plan development

From the risk rating you can then choose a course of further action for the risk. Below is a general
guide to the action that might be taken.
Risk Rating
Extreme Risk:
High Risk:
Moderate Risk:
Low Risk:

Action required:
Immediate action required
Senior Management attention needed.
Management responsibility must be specified
Manage by routine procedures

Managing Risk in Procurement

Department for Education and Child Development 2013

Page 11 of 14

November 2013

APPENDIX 3 RISK ASSESSMENT TABLE

No

Risk
Description

Impact
Description

Existing
Controls

(including
cause of risk)

(impact/ effect if the

risk eventuates)

(Actual &
Factual a
control is in
place, not a
planned action)

Control
Owner

Existing
Control
Assessment

Current
Level of
Risk

Risk
Treatment
Action Plan

Treatment Owner
and Treatment
Due Date

Remaining
Level of
Risk

(Consequence
x Likelihood)

(Approved
strategies to be
put in place)

(for action plan)

(Consequence
x Likelihood)

Moderate
(C)
Possible (L)
MODERATE

Minor (C)
Unlikely (L)
LOW

Risk monitoring and

reporting
(e.g. Are the existing controls
effective or have any failed; are
treatment plans fully
implemented &/or tracking to
plan; and are additional
measures required to manage
the risk)

e.g. date reviewed, controls

effective, treatments delayed
due to competing objectives
or treatments are 90%
complete.

Notes:
- To assess the level of risk refer Appendix 2 (Table 1 and 2). The Current Level of Risk should take into consideration the existing controls and the effectiveness of those controls.
- The Remaining (Residual) Level of Risk should be an assessment based on the likely remaining level of risk once all risk treatments are implemented.

Risks Assessment completed by:

Updated By:

Managing Risk in Procurement

Department for Education and Child Development 2013

Date:..

Updated On:

Page 12 of 14

November 2013

APPENDIX 4 - RISK TREATMENT OPTIONS

Action
Accept the Risk

Avoid the Risk

Reduce the Likelihood of Occurrence

Reduce the Consequence

Share the Risk

Managing Risk in Procurement

Department for Education and Child Development 2013

Application
Appropriate where the impact of the risk is
minimal or insignificant and outweighs the
measures, financial or otherwise, required to
control or eliminate the risk.
This involves deciding not to proceed or
continue with the activity likely to generate the
risk (if this is practical). It should be noted that
risk avoidance might well increase the
significance of other risks.
This involves modifying the environment to
minimise the identified risk(s). When potential
risk situations are identified, alternative
courses of action should be evaluated to
determine if the undesirable outcome could be
avoided at a reasonable cost. As a general
guideline, the preventative actions should cost
less than expected value of exposure of
exposure and/or less than the cost of the
contingency plan.
This involves implementing a contingency plan
(or similar actions) where preventative action is
either unavailable, the cost of prevention is
prohibitive or the preventative action fails.
Sharing responsibility for the risk with another
party, who ultimately bears some of the
consequences if the risk occurs. Depending
on the risk level, it is recommended that careful
qualification of the third party be undertaken
and contracted in advance.

Page 13 of 14

Example Treatment
Manage the risk using existing procedures.

Cease the activity affected by the risk.

Review contract terms and conditions, upgrade

supervisory requirements, and conduct
additional project analysis.

Contingency plan, Business Continuity Plan,

alternative supplier arrangements, etc.

Insurance policies or contractual agreements

with third parties.

November 2013

APPENDIX 5 EXAMPLE OF DETAILED RISK MONITORING TABLE

Compiled by:.Date:.
What are the key
What are the things you need to
Planned date
objectives/features of the
monitor to ensure that the
contracting project?
objectives/features are achieved?

Responsibility for
action

e.g. monitor existing risk controls

and/or the progress of
implementation of risk treatments.

A workbook can be developed to assist in the monitoring process. The workbook should contain all
relevant information relating to the contract including:
Project objectives and critical success factors;
Principals and Contractors obligations;
Risk Analysis Matrix;
Risk Register Table;
Risk Assessment Table;
Risk Treatment Table; and
Risk Monitoring Table.

Managing Risk in Procurement

Department for Education and Child Development 2013

Page 14 of 14

November 2013