Managing Risks in the Procurement Process

Session 2.1

Managing Risks in the Procurement Process

Session Overview
In the previous session, we looked at the various stages in the procurement process. Risks are inherent in all the stages of the procurement process. The ASOSAI Guidelines for Dealing with Fraud and Corruption regards contract of services/procurement as a very high-risk area. Therefore an effective procurement process requires the application of sound risk management practices aimed at protecting the interests of the government and ensuring that the procurement outcomes are achieved. A structured approach to the identification, quantification and subsequent management of risks must be adopted so that risks is retained by or transferred to the party who can manage the risks most effectively. The level and nature of risk management in the procurement process will vary according to the nature, size and complexity of procurement. In the audit of procurement process, it is vital that the auditors are able to identify the risks involved in various stages of the procurement process. They should be able to evaluate the risk management process undertaken by the management and see whether appropriate measures have been undertaken by the management to overcome the identified risks. Therefore, it is imperative that auditors auditing the procurement process have a sound knowledge of the risk management process. This session deals with the risk management process which is an integral part of the procurement process.

Learning Objectives
By the end of this session, participants will be able to Explain the various stages involved in risk management process

Basic Concepts
Risks - The uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk is measured in terms of consequences and likelihood. It is a concept that auditors and managers use to express their concern about the probable effects of an uncertain environment. Since the future cannot be predicted with certainty, auditors and managers have to consider a range of possible events that could take place. Each of these events could have a material effect on the enterprise and its goals. The negative effects are called risks and the positive effects are called opportunities. There may be circumstances or events that should not occur for the procurement process to be successful. If you believe such an event is likely to happen, then it would be a risk.

Audit of Procurement Process

Notes 2.1

1/8

Managing Risks in the Procurement Process

Session 2.1

Risk Management Process

Risk should be identified at an earlier stage in the procurement planning. However, the identification of risk is not an end in itself, nor does the existence of risk indicate that procurement should not proceed. Therefore, the challenge for the procurement manager is to decide whether or not risks are acceptable, i.e. whether they can be managed efficiently and effectively. Risk management is an iterative process consisting of well-defined steps, which support a better decision making by contributing a greater insight into risks and their impacts. It is the systematic application of management policies, procedures and practices to the tasks of identifying, analysing, treating and monitoring those risks, which impact on organisations objectives. It is the process of measuring, or assessing risk and then developing strategies to manage the risk. It demands that a plan of action be developed in relation to identified risk that minimizes the likelihood and consequences of these occurring. In general, such a plan of action may include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. The plan needs to be continually monitored and reviewed since risks and their relative significance change over time. The level and nature of risk management in the procurement process will vary according to the nature, size and complexity of procurement or the procuring agencies. The fundamental elements of Risk Management Process can be represented diagrammatically as follows; Establish the Context

Identify the Risks Analyse Risks

Monitor and Review

Risk Management Plan

Evaluate & Prioritise the

Treat Risks

Audit of Procurement Process

Notes 2.1

2/8

Managing Risks in the Procurement Process

Session 2.1

The above diagram presents risk management process in five sequential stages. However, in practice it may not necessarily be strictly sequential. Although they are five separate definable processes, the information discovered at one stage may require the agency to return to previous stages. Many agencies regard Monitoring and Review as the sixth stage but since it is a continuing process from the stage of Establishing Context till Treating the Risks, it has been shown as a separate process. The outcome of risk management process should be a formal Risk Management Plan. 1. Establish Contexts The first stage in risk management process involves determining key business objectives, processes and resources. In developing a strategy for managing the risks associated with the procurement process, it is important to understand, by all parties, goods to be delivered, the business outcomes and outputs that those goods support, the management environment and the business risks associated with the procurement. This stage involves providing answers to the following questions; What are the objectives and goals of the procurement? (Objectives) Who is interested in or impacted by this procurement? (Stakeholders) What are the measures of success for this procurement? (Criteria) What are the key aspects that make up this procurement? (Key Elements)

Such information establishes the context that defines the overall priority of the procurement to the organisations business, which in turn determines the level of resources that should be allocated to the procurement risk management process. The costs incurred in managing the risk should be commensurate with the size, type and complexity of the procurement and the benefits in terms of reduced levels of risk in order to achieve the primary value for money objective. 2. Identify the Risks This stage involves the identification of possible types of risks. The two major questions that should be asked at this stage are What events could occur that may adversely impact upon the objective of the procurement? (What can happen?) How could these events happen and if they did, in what way would they impact upon the procurement? (How could it happen?)

In many of the major procurements, there could be at least two levels of risk as contract risk and contract management risk: i. Contract Risk These are risk associated with the delivery of the service such as goods not delivered in accordance with the requirements of the contract in terms of cost, quality and quantity. Normally such risks are external and therefore may be considered beyond our control. External risks could be grouped as:

Audit of Procurement Process

Notes 2.1

3/8

Managing Risks in the Procurement Process

Session 2.1

Political/Regulatory Policy Changes Administrative changes Changes of government etc. Economic/Market Pricing Reviews Cost escalations Suppliers business failure Economic Downturn etc.

Environmental/Natural Fire Flood/landslides Earthquake etc. Technological Viruses Hacking Network Failure Changes in technology etc.

ii.

Contract Management Risk These are risks associated with the management of the contract. Such risks are generally lower and arise from within the organisation. They are less likely to threaten the delivery of goods. However, if they are not managed, they could threaten contract relationship and adversely affect the delivery of goods. Such risks could be grouped as:
Strategic Non identification of key outputs Performance targets not aligned with the outputs Skill/Knowledge gap Change in business objective etc. Operational Failure to meet output targets for time, cost, quantity and quality Skill/Knowledge Gap Environment and safety requirements Staff unrest etc.

3. Analyse the Risks Once the risks are identified, they are analysed in terms of their likelihood and consequences. The questions that should be asked at this stage are; What policy, processes, procedures currently exist and whether they are effective? (Controls) What is the impact on the procurement if the risk occurs? (Consequence) How likely is it that the identified consequence will materialise? (Likelihood) What is the severity of the risk, given the consequence and likelihood? (Level of Risk)

At this stage, the management must see whether the existing controls are enough to mitigate the identified risks. Such an assessment will provide an opportunity to identify ways of improving the internal controls. The impact on procurement process can arise from a range of risk events. Management should assess each event to determine the likelihood of its occurrence and whether it could adversely affect the specified delivery standards in terms of cost, quantity and quality. Such impact areas may be categorised by outputs, resources, reputation, business interruption, compliance and clients/stakeholders while the likelihood of risk occurring could be categorised as frequent, probable, occasional,
Audit of Procurement Process Notes 2.1 4/8

Managing Risks in the Procurement Process

Session 2.1

remote or improbable. The severity of the impact of risk can be determined by establishing relevant evaluation criteria (e.g. low high risk escalating scale against which the impact can be assessed). Careful consideration is required to determine the extent of evidence required to validate findings and conclusions regarding the level and nature of an identified risk. 4. Evaluate and Prioritise Risks Once the risks are analysed in terms of likelihood and consequences, the management has to evaluate and prioritise the risks. The questions that should be asked at this stage are; Are the risks tolerable or is further treatment necessary? (Evaluation) Which risks are to be treated first? Prioritise all risks by assessed risk level (Rank Risks) Are there risks that may be set aside or are so insignificant that they do not require specific action? (Screen Risks)

The outcome of this stage should be the unacceptable risks in accordance of priority that needs to be treated or require specific actions. However, acceptable risks should be monitored and periodically reviewed to ensure that they remain acceptable. 5. Treat Risks The aim of treating the risk is to reduce the risk to a level that is acceptable by the agency. It involves considering alternative options for dealing with those risks that are considered as intolerable or unacceptable. The questions that need to be asked at this final stage of procurement risk management are: What actions can be taken to eliminate or reduce the risks? (Identify Options) What is the best option, or set of options, noting costs and benefits? (Select Options)

Based on the solutions to the above questions, the management has to prepare detailed treatment plans by including resources and other schedule matters. Accordingly, the plan needs to be implemented, with adjustments as and when necessary. The Risk Treatment could offer the following 5 or more options; i. Reduce the likelihood. This involves developing strategies and actions for reducing the likelihood of the risk occurring. E.g. Seeking police protection where there is risk of valuable goods being looted by the robbers. ii. Reduce the consequence. This involves developing strategies and actions for reducing the consequence should the risk occur. E.g. making provisions for loss in transit.

Audit of Procurement Process

Notes 2.1

5/8

Managing Risks in the Procurement Process

Session 2.1

iii. Transfer. This involves transferring the risk in part or full. Risk transfer can be initiated by; Risk Sharing, where risk exposure is shared between the contracting parties by such methods as pricing structure that are either fixed or cost reimbursement contracts E.g. Management bearing 50% of the cost escalation. Risk Allocation, where only one party or third party such as an insurer bears the risk. It can increase or lower the contract price depending on who bears the risk. E.g. Goods Transit Insurance

iv. Avoid. This involves avoiding the activity altogether if the activity is likely to generate risk. Factors to consider the validity of this option include: What will happen if the activity is not undertaken? Is the risk level too high to proceed/continue with the activity? Is the cost of required controls higher than the benefit of the activity? Will the failure of the activity have critical consequences for other areas of the procurement process.. E.g. if buying from certain country is risky, given the political unrest in that country, then the management can avoid buying from that particular country after considering the above factors. v. Retaining the Risk. This involves retaining the risk and managing it. Such an option normally leads to heavy resource requirement. The risk treatment options could largely depend on the cost and benefits of each option. Risk Monitoring and Review Risks and their priorities do not remain the same. Therefore on-going monitoring and review of the overall risk management process is essential to ensure the efficient and effective delivery of goods. Monitoring and review has to be a continuous process commencing with establishing context. Accordingly new risks and their impact on the procurement process need to be established. The outcome of the overall risk management process should be a formal or informal Risk Management Plan that identifies and ranks all risks and their treatments. Key decisions and factors that led to those decisions should also be recorded for transparency and accountability purpose.

Audit of Procurement Process

Notes 2.1

6/8

Managing Risks in the Procurement Process

Session 2.1

Example of Risk Management Process in Pre-qualification of a Supplier

1. Establish the context Review the agency goal/program objectives that are to be met by the procurement including any relevant program guidelines relating to the supplier Identify relevant agency guidelines relating to procurement, financial, contract management Assess the tender submitted including an assessment of the commercial viability and relevant experience of the supplier in relation to the proposed contract 2. Identify Risks Identify all of the risk associated with the supplier. Use Risk Assessment Matrix as follows: Summary of Risk Escalation L M H 1.History & development of the suppliers business. 2.Legal background & capital structure 3.Critical performance elements of the contract 4.Management & Employees 5.Commitment, contingencies & litigations 6.Financial Viability In each of the above six areas, identify and assess specific risks that may be relevant to the procurement. Careful considerations should be given to the type and quantity of information required to undertake an adequate risk assessment. 3. Analyse Risks What is the likelihood and consequence of a change in the financial situation or management structure of the potential supplier? How would such a change affect the suppliers ability to fulfil the terms of the contract? What authorisation, approval and checking procedures are in place to minimise the risk of contracting an in appropriate supplier? Evaluating and Treating the Rsks The risk assessment matrix is intended to assist agencies to reduce the risk of contracting with an inappropriate supplier. It can be used to make an overall assessment of the ability of the potential supplier to deliver successfully the products given in the contract. The matrix can reveal whether the potential supplier constitutes a high, medium or low risk. Based on the outcome of the matrix, appropriate measures to manage the risks can be initiated. For example: In the case of high/moderate risk supplier, where a decision has been made to proceed further with the supplier, some combination of the following mitigation measures can be undertaken:

Providing a guarantee by an entity related

to the supplier.

Regular performance reporting and access

to all suppliers financial and other relevant records.

Inserting conditions in the contract relating

to timing/standard of service delivery, performance bond and penalty clauses.

Summary
Risk Management is a practical planning and problem-solving tool. It involves the concept of controlling the extent of risk and/or the severity of the consequences. In managing risks, a balance needs to be struck between the costs of managing risks and the benefits gained. As a general rule, the aim should be to allocate risks to those best able to manage them provided that the cost of transferring them to that party does not exceed the cost of retaining them.

Audit of Procurement Process

Notes 2.1

7/8

Managing Risks in the Procurement Process

Session 2.1

While it is essential for an auditor to understand the risk management in the procurement process, one should not forget that there is the auditors own risk (audit risk) in any type of audit. Auditors give an audit opinion based on reasonable assurance, since to do so with absolute certainty would be vastly expensive and near impossible. It is acceptable that audits are performed on a test basis, with a resulting risk that auditors may fail to discover all material errors. Therefore, auditors should also manage their own risk during the process of auditing. Risks are involved in all stages of the procurement process. The subsequent sessions deals with identifying the risks and auditing each stage of the procurement process. Risks identified at each stage in the procurement process can be managed by the auditors by developing an audit plan and checks appropriate to the risk perception and accordingly report his findings. ******.

References
ASOSAI, ASOSAI Guideline for Dealing with Fraud & Corruption ASOSAI, FAIT Workshop Material, 2003 The Public Sector Comparator, A Canadian Best Practice Guide, 2002 ANAO, Better Practice Guide, 1998 CIDB, Procurement Practice Guide, 2003 ACT Insurance Authority, Risk Management Tool Kit, 2004 David McNamee, Assessing Risk Assessment, 1996 Procurement Strategy Council, Managing Procurement Risk, 2003 CSP Practice Note Guide to Limiting Supplier Liability in Australian Government ICT Contracts West Devon Borough Council, Corporate Procurement Strategy

Audit of Procurement Process

Notes 2.1

8/8