0.1 Assess risk
Managing risk is an essential part of procurement and contract management. You will need to assess the risks that may affect the performance of your contract and its ability to achieve the desired outcomes.
Risk is defined in IS031000:2018 Risk Management as 'the effect of uncertainty on objectives'. An effect is a deviation from the expected outcome - positive or negative. Risk is often expressed as a combination of the consequences of an event and the associated likelihood of occurrence.
In contract management, risk management refers to the activities that you undertake to manage and control your contract with regard to risk.
Your entity will have a risk management framework and may provide a template for a risk management plan or will provide direction consistent with your framework.
Contract managers should identify the risks associated with delivering the contract and analyse the seriousness of those risks and likelihood of them occurring. The next step is to consider existing risk controls that are already in place and evaluate whether they are sufficient to manage the risk without taking additional measures. If not, then risk treatments need to be applied. The risk controls and risk treatments aim to prevent the risk from occurring (if possible), and/or to minimise the consequences if any risk events do eventuate. Obligations placed on the supplier and the allocation of responsibility for particular issues under the contract will often form part of these controls and treatments - and so effective contract management will assist with managing these risks.
As the contract manager, it is your job to deal promptly and effectively with any risk events that occur during the life of your contract. All officials with a role in managing the contract also play a part in managing risk and identifying emerging issues.
Risks may specifically relate to the goods or services you are receiving (for example, Work Health & Safety risks in a cleaning contract or using unqualified trainers to deliver training programs), or they may relate to the contract management process itself (for example loss of key staff, staff having insufficient expertise in contract management or failure to adequately check deliverables or pay invoices on time).
Shared risks should also be considered in contract management. A shared risk exists where more than one party is exposed to, or can significantly influence, the risk. Most contracts will involve shared risks and a key consideration will be the types and level of risk that will be assumed by each of the parties to the contract.
The Commonwealth Procurement Rules (CPRs) paragraph 8.4 note that, as a general principle, risks should be borne by the party best placed to manage them. This may be either the supplier or the procuring entity. The allocation of risks may be set out in the contract, including through the indemnities and limitations of liability.
Identified risks will be incorporated into your contract management plan or, if the risks are substantial, into a separate risk management plan.
Your approach to managing risks for individual contracts should be consistent with your entity's broader risk management framework.
|
| Key Risk Management Terms Risk identification is the process of finding, recognising and describing risks. Risk identification involves the identification of risk sources, risk events, their causes and their potential consequences. Risk identification can involve historical data, theoretical analysis, informed and expert opinions and stakeholder's needs. Risk analysis is the process used to comprehend the nature of risk and to determine the level of risk. Risk analysis provides the basis for risk evaluation and decisions about risk treatment. Risk evaluation is the process of comparing the level of risk against risk criteria, such as those commonly contained in a risk evaluation matrix (for example extreme risk, moderate risk or negligible risk). Risk evaluation assists in decisions about risk treatment. Risk assessment refers to the process of undertaking risk identification, risk analysis and risk evaluation. A risk control is a measure taken to modify risk. Controls are the result of risk treatment. Controls include any policy, process, device, practice or other actions designed to modify risk. A risk treatment is a proposed control, yet to be implemented. The term 'risk treatment' can also be used to refer to the process of selection and implementation of measures to modify risk. Risk definitions from: Commonwealth of Australia, Department of Finance, Commercial and Government Services, "Resource Management Guide 211 Implementing the Commonwealth Risk Management Policy - Guidance. https://www.finance.gov.au/government/comcover/risk-services/management |
|
| Want to know more about risk management? Further information about risk management is available from: • Comcover in the Commonwealth Risk Management Policy 2014 and Implementing the Commonwealth Risk Management Policy https://www.finance.gov.au/government/comcover/risk-services/management. • Department of Finance Resource Management Guides at https://www.finance.gov.au/government/resource-management/list-number • Standards Australia guidance for the international standard ISO 31000:2018 Risk Management -Guidelines. https://www.standards.org.au/standards-catalogue/international/iso-slash-tc--262/iso-31000-colon-2018 |
When identifying risks it may be useful to consult with stakeholders, technical staff or users. You should consider all aspects of your contract, including the management of your contract, and assess whether there may be exposure to any risks. Some common sources of risk and examples of risks are listed in the table below (this is not a definitive list and you will need to consider risk in the context of your contract).
| Sources of Risk | Examples of Risks |
| Systems, procedures and guidance | • Multiple systems that are not integrated and/or require multiple entry of the same data • Systems that are not supported by appropriate procedures and/or guidance material • Different systems containing incomplete and/or conflicting contract data • Absence of required contract delegations |
| Roles and responsibilities | • Unclear and/or misunderstood roles and responsibilities for aspects of contract management |
| Contract management capability | • Lack of understanding of relevant government and/or entity procurement policies and reporting requirements relating to contracts • Lack of experience in the management of contracts • Lack of recognition of the importance of contract management • Insufficiently skilled and experienced resources available to effectively manage the contract • Lack of training in contract management • Failure to act on supplier under-performance • Fraud and/or unethical conduct by staff |
| Supplier performance | • Supply chain issues • Failure to provide contract deliverables on time, to the agreed quality standards • Failure to adhere to the agreed budget • Failure to comply with all contract provisions, for example, privacy, security, recordkeeping • Fraud and/or unethical conduct by the supplier |
| Changes in circumstances or requirements | • Contract changes not dealt with as contract variations • Supplier not prepared to agree to contract variations to accommodate changes in entity requirements • Changes in circumstances not managed in a timely manner |
| Stakeholder relationships | • Stakeholders not consulted and/or kept informed about contract performance • Changes in stakeholder needs and/or expectations not communicated to contract manager • Differing and/or conflicting stakeholder expectations |
| Contract materials information and records | • Failure to provide required materials or information to the supplier • Failure of the supplier to return or destroy all materials, information and records in the agreed timeframe and through the agreed processing (ensuring compliance with the Protective Security Policy Framework (PSPF)) |
| Payment | • Failure to pay supplier invoices in a timely manner • Failure of the supplier to provide correctly rendered invoices • Submission by the supplier of an invoice for unforeseen or unapproved additional costs |
| Transition arrangements | • Failure to appropriately manage transition from the outgoing supplier • Not commencing arrangements for a new procurement in a timely way • Service disruption • Probity issues with procurement process for replacement goods or services after the contract end date, particularly where existing supplier is re-tendering • Not addressing performance problems with an outgoing supplier • Not addressing performance problems with an existing supplier |
| Achieving Value for Money | • Not addressing performance problems with a supplier • Contract variations degrading value for money • Not gathering data to allow determination of whether value for money was achieved • Not reviewing contracts and learning lessons from improvement opportunities • Not linking value for money achieved in a contract with the contract renewal process |
| ICT Risks | • Failure to have appropriate security controls and measures in place to protect Commonwealth data and the personal information of Commonwealth officials • Failure to protect the privacy of Commonwealth officials and any personal data that the supplier may come across or have in their possession • Failure to have supplier personnel appropriately security assessed to ensure the protection of Commonwealth data |