Managing Risk in Procurement Guideline

Transcription

1 Guideline DECD 14/10038 Managing Risk in Procurement Guideline Summary The Managing Risk in Procurement Guideline assists in the identification and minimisation of risks involved in the acquisition of goods and/or services. Publication Date April 2015 Review Date April 2018 Related Legislation/Applicable Section of Legislation Related Policies, Procedures, Guidelines, Standards, Frameworks State Procurement Act 2004 DECD Procurement Governance Policy SPB s Risk Management Guideline DECD Risk Management Policy Replaces Managing Risk in Procurement Guideline V4.2 Policy Officer (Name/Position) Ty Potticary, Senior Project Officer Procurement/Fleet Policy Officer (Phone) Policy Sponsor (Name/Position) Executive Director Responsible (Name/Position/Office) John Scalzi, Assistant Director, Procurement and Contracting Ross Treadwell, Executive Director, Infrastructure 1 Managing Risk in Procurement Guideline January 2015

2 Applies to Key Words Status Approved by All DECD Staff All School Governing Council/School Council Members All Preschool Management Committee Members DECD Ministerial Committees Risk, Management, Procurement, Guideline, Treatment. Current Senior Executive Group Approval Date 16 April 2015 Version Managing Risk in Procurement Guideline V4.3 2 Managing Risk in Procurement Guideline January 2015

3 REVISION RECORD Date Version Revision Description January Creation of Regulating Risk section, including Controls. Insertion of Definitions and Abbreviations section. 3 Managing Risk in Procurement Guideline January 2015

4 CONTENTS 1. TITLE PURPOSE SCOPE GUIDELINE DETAIL Risk Management The Risk Management Process Communication throughout the Process Establishing the Context Risk Identification Risk Analysis Risk Evaluation Regulating Risk Risk Management ROLES AND RESPONSIBILITIES MONITORING, EVALUATION AND REVIEW DEFINITIONS AND ABBREVIATIONS SUPPORTING DOCUMENTS REFERENCES... 9 APPENDIX... 9 APPENDIX 1: Identifying Risk APPENDIX 2: Table 1 DECD Risk Assessment Criteria Matrix Table 2 DECD Risk Rating Matrix APPENDIX 3: Risk Assessment Table APPENDIX 4: Risk Treatment Options APPENDIX 5: Detailed Risk Monitoring Table Managing Risk in Procurement Guideline January 2015

5 1. TITLE Managing Risk in Procurement Guideline 2. PURPOSE The Managing Risk in Procurement Guideline has been developed to assist DECD worksites and staff in the identification and minimisation of risks involved in the acquisition of goods and/or services. 3. SCOPE The Guideline applies to all DECD staff, members of School Governing Councils / School Councils, Preschool Management Committees and DECD Ministerial Committees that have elected to operate within the DECD procurement authority. The Guideline should be read in conjunction with the DECD Procurement Governance Policy, the agency s underpinning procurement policy. 4. GUIDELINE DETAIL The Guideline aims to assist in developing an understanding of risks inherent to procurement, and the components and processes involved in risk management Risk Management The South Australian Government s Risk Management Policy Statement (2009) places responsibility on agency Chief Executives for the effective and timely implementation of risk management standards and practices, in accordance with the Australian/New Zealand Standard AS/NZS ISO 31000:2009. The Australian/New Zealand Standard AS/NZS ISO 31000:2009 defines risk as the effect of uncertainty on objectives. A risk is a future condition or circumstance which could impact on objectives if it occurs, whereas an issue is a current event or condition which should be dealt with. Risk is measured in terms of a combination of the consequence or impact of the event and their likelihood, and may have a positive or negative impact. Risk Management is the systemic, positive identification of threats and the identification of opportunities for the best use of resources. It also involves the development of appropriate strategies to manage risk and enable an organisation to take appropriate action towards the management of resources. DECD has established a department-wide risk management policy and framework which is based on the South Australian Government Policy. For further information on this overall risk management framework, please refer to the DECD Risk Management Framework and Policy. The DECD Managing Risk in Procurement Guideline specifically targets risk management relating to the procurement activities within the department The Risk Management Process The level of detail and effort required to manage risk in procurement will vary depending on the nature and value of the procurement. 5 Managing Risk in Procurement Guideline January 2015

6 As a guide, the following key steps in the risk management process are provided for consideration when undertaking procurement: Communication throughout the Process Undertake communication and consultation with the relevant internal and external stakeholders. This ensures that all stakeholders share the same understanding of risks within each procurement project and how they are to be handled Establishing the Context (Internal and External) To establish the context, we must understand the environment in which the procurement is being undertaken, in line with the organisation, stakeholders, strategy and the associated importance of risk management for that transaction. To establish the risk management context for the procurement consider the following: The organisation s cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment; The importance of the procurement to the business and its objectives; The relationships with, and perceptions of and values of internal and external stakeholders; Capabilities in terms of resources such as people, processes, capital, systems and technology; The organisation s approach to risk in terms of levels of acceptable risk; Defining responsibilities for risk management in the procurement process; and Previous experience or lessons learned with similar contracts Risk Identification All procurement projects require the identification of potential risks associated with the procurement. There are a number of useful tools and techniques that can be used, including: Checklists; Brainstorming; Systems analysis; Drawing on outside experience; and SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis. Examples of common risk categories in a procurement context have been provided in the State Procurement Board s Risk Management Guideline, and are included in Appendix 1 for ease of reference Risk Analysis Risk analysis is a process of determining why, how and where a possible risk might occur. It involves identifying existing controls (if any), including an assessment of the effectiveness of those controls. In determining the level of risk associated with procurement transactions, two key elements require consideration: Likelihood: How likely is it that the potential risk will occur? Consequence: What would happen if the potential risk eventuates? Risk Evaluation Once the likelihood and consequence of the identified risks have been analysed, it is necessary to evaluate and prioritise the risks so that the most significant risks are treated first. 6 Managing Risk in Procurement Guideline January 2015

7 Within DECD, all Procurements $220,000 (GST Inclusive) and over require the completion of an Acquisition Plan, which includes a risk assessment. Worksites must demonstrate how the procurement will manage any current risks identified. One way of doing this is to rate the specific risks as either extreme, high, moderate or low depending on the combined ratings of the likelihood and consequences. The Risk Assessment Criteria Matrix and Risk Rating Matrix shown in Appendix 2 provide guidance on how risks can be prioritised in this way. Risk assessment information can then be recorded in the department s Risk Assessment Table (Appendix 3). For lower value procurements under $220,000 (GST Inclusive) the same principle applies, but may not require the same level of input. For example, the Simplified Acquisition Plan used by Corporate Offices will only require identifying risk treatment strategies for identified risks, and the risk rating matrix (Appendix 2) will not be necessary. Schools and Preschools undertaking procurements below the $220,000 (GST Inclusive) threshold may also wish to conduct a more simplified risk assessment where the procurement is of a routine or simple nature Regulating Risk Treatments Depending on the level of risk identified, the following risk treatment options may be considered: Accept the risk (where there is no feasible treatment option it may be appropriate or where the impact of the risk is minimal); Avoid the risk; Reduce the likelihood of occurrence; Reduce the consequences; or Share the risk. Appendix 4 provides details on applying the actions and examples. Controls The Procurement Unit has put in place a number of controls to assess and manage risk throughout the procurement process. This includes: The preparation of standard contracts, in conjunction with Legal Services, which contains child protection, suitability of person, insurance and limitations of liability clauses; and Requirements to complete Simplified Acquisition Plans and Contract Management Plans for procurements over designated thresholds Risk Management An important step in managing procurement risk is to ensure that the situation is monitored and corrective action is taken where appropriate. One method of risk monitoring could be via a Risk Management Plan an action plan that outlines how the identified risk will be managed. A risk management plan can take any form as long as it describes what is going to be done, who is going to do it and when. Risk management plans can be recorded in the department s approved Risk Assessment Table. The level of detail in risk management should be commensurate with the level of risk of the project. If the rating process produces a high rating, more detailed monitoring and reviewing needs to be carried out. If the rating is low, a less detailed review is required. 7 Managing Risk in Procurement Guideline January 2015

8 An effective risk management plan may include the following items: A statement of the project or contract objectives and critical success factors; An assessment of the adequacy of the objectives or targets; A structure of how the risks will be identified and analysed; An assessment of the product or service features; A list of risks under each category showing the likelihood and consequence ratings of each risk; An action plan showing the priority of each risk and the risks will be managed; and A statement about how the risk will be reviewed during the project. All DECD worksites should monitor risks and the effectiveness of treatments on a regular basis. The nature of risk may change throughout the course of a procurement process and it is likely that the risk management process may need to be repeated and appropriate action taken as required. In all cases, there is a need to record risks along with the applicable treatment. Details of when and how the risk management plan will be reviewed, and who will do it can be recorded in the Risk Monitoring Table (Appendix 5). For further information or assistance on managing risk in procurement please contact the Procurement Unit on ROLES AND RESPONSIBILITIES Role Chief Executives Managers Staff Authority/Responsibility for The Chief Executive is accountable for ensuring that risk management frameworks that relate to the organisation s business and organisational context are developed and implemented. Managers are responsible for ensuring staff undertaking any procurement processes within their role are sufficiently informed about relevant procurement procedures and guidelines. Managers include Executive Directors, Directors, Assistant Directors, Education Directors, Principals and Supervisors. Employees required to undertake purchases on behalf of their worksite should familiarise themselves and maintain currency with relevant legislation, government and department procurement requirements. 8 Managing Risk in Procurement Guideline January 2015

9 6. MONITORING, EVALUATION AND REVIEW The Managing Risk in Procurement Guideline will be reviewed in accordance with the requirements stipulated in the DECD Policy Framework. The effectiveness of the Guideline will be monitored and evaluated by the Procurement Unit as part of this process. 7. DEFINITIONS AND ABBREVIATIONS Term Risk Issue Treatment Control DECD SPB Meaning A future condition or circumstance which could impact on objectives if it occurs. A current event or condition that must be dealt with. An additional mechanism to be implemented which seeks to reduce the current likelihood and/or consequence of a risk. An existing mechanism which can be verified and seeks to reduce the likelihood and/or consequence of a risk. Department for Education and Child Development State Procurement Board 8. SUPPORTING DOCUMENTS DECD Risk Management Policy DECD Risk Management Framework DECD Procurement Governance Policy 9. REFERENCES State Procurement Board Risk Management Guideline APPENDIX Appendix 1: Identifying Risks Appendix 2: Table 1 DECD Risk Assessment Criteria Matrix Table 2 DECD Risk Rating Matrix Appendix 3: Risk Assessment Table Appendix 4: Risk Treatment Options Appendix 5: Detailed Risk Monitoring Table 9 Managing Risk in Procurement Guideline January 2015

10 APPENDIX 1 IDENTIFYING RISK EXAMPLES (The following is not an exhaustive list and different risks may be identified based on the nature of the procurement) Risk Category Examples Planning and Preparation Unrealistic time/cost expectations Conflict with existing contracts/supply arrangements Limited capacity to access necessary information Legal complexities Delays in obtaining approvals Incorrect method of approach selected Product/Service Limited availability Complex to manufacture/source Integration of the product into existing environment Delays in delivery, testing and installing Unsafe use of hazardous materials or practices Final product/service does not meet expectations Procurement Process Lack of probity or unethical behaviour Changes to scope and/or specifications Proper processes are not followed Risks are not adequately managed Tender process does not achieve value for money Government policies not followed Industry and Suppliers Lack of interest in response to tender Limited number of potential suppliers Industrial disputes Lack of capacity of individual contractors Complacency in long term supplier relationships Non-performance of contractors Management Inappropriately qualified or resourced project team Lack of communication amongst team/facilitators Responsibilities of project staff not clearly defined Expectations and objectives unclear Contract is poorly managed Loss of corporate memory relating to contract Unethical behaviour/conflicts of interest Stakeholders Public sensitivity/high level of media scrutiny Conflict among stakeholders Change in government policy/political demands Ineffective communication and consultation Contract Offer lapse before execution Errors/omissions in the contract Default by the supplier/termination of the contract Payments made in advance of goods/service received Acceptance of suppliers terms and conditions Bank guarantees Procurement objectives not realised Unplanned changes to scope and/or technology Lack of proper records Mismanagement of sub-contractors Unjustified contract extensions/amendments Fraud 10 Managing Risk in Procurement Guideline January 2015

11 Consequence APPENDIX 2 TABLE 1 DECD RISK ASSESSMENT CRITERIA MATRIX This table is a generic table intended as guidance on apply consequence ratings and should be adapted to and interpreted for specific procurement risk assessment processes. Risk Categories Strategic Financial Operational (Service Delivery, People, Technology) Legal/ Regulatory/ Compliance Reputation Catastrophi c/ Critical Major Significant impact on DECD s ability to achieve its strategic objectives in relation to learning and care of students and children Significant impact on DECD s ability to achieve its corporate, governance and accountability strategic objectives Ongoing loss of critical infrastructure Catastrophic/Long-term workforce/community harm Catastrophic long term environmental harm Sudden/prolonged loss of significant proportion of key leadership Major impact on DECD's ability to achieve its strategic objectives in relation to learning and care of students and children Major impact on DECD's ability to achieve its corporate, governance and accountability strategic objectives Impact cannot be managed within DECD's existing framework Long- term loss of critical infrastructure Significant long-term Loss of assets, adverse impact on annual revenues, costs or surplus of lower of either: o > $5 million, or o 15 % deviation from corporate budget o 30% deviation from unit/programme budget Loss of assets, adverse impact on annual revenues, costs or surplus of lower of either: o $1 $5 million, or o 5% 15% deviation from corporate budget, or o 15% 30% deviation from unit/programme budget External audit qualification on the report and accounts and discussion in parliament Failure/breach of multiple fundamental controls that places the organisation in a position where it cannot operate with due care or within acceptable organisational parameters Significant erosion or effect on customer base Death of adult or child Majority of critical projects/programs cannot be achieved Ongoing loss of critical infrastructure and systems Failure/breach of a fundamental control Major adverse effect on customer base Effectiveness and efficiency of organisation significantly reduced Multiple serious injuries and/or major OHS&W liability incident/issue Major project over-run or failure of project/programme to meet key requirements Major IT and IT security related incidents Major disruption in business Sustained non-compliance to legislation that has funding impact and/or duty of care impact Serious failure to comply with legal or regulatory requirements that may result in fines and/or curbing of business/suspension/public admonishment and/or parliamentary enquiry Failure to comply with legal or regulatory requirements in some instances that may result in warning letter/admonishment to senior management Regulatory non-compliance which place individuals at risk of harm Potential for significant restrictions on business activities Sustained negative publicity or damage to reputation from a national perspective, industry perspective or from the community welfare perspective Significant long term damage to public confidence in the government policy platform, leading to sustained compromise in the achievement of DECD strategic objectives Negative publicity or damage to reputation from a national perspective, industry perspective or community welfare perspective. Damages public confidence in the government policy platform 11 Managing Risk in Procurement Guideline January 2015

12 Moderate Minor Insignificant workforce/community harm Significant long-term environmental harm Loss of key leadership or CE Minor impact on critical DECD objectives in relation to learning and care of students and children Minor impact on critical DECD corporate, governance and accountability strategic objectives Significant adjustment to resource allocation and service required to manage impact Loss of support infrastructure Significant short term workforce/community harm Significant short-term environmental harm Negligible impact on critical DECD objectives Additional internal management efforts required to manage impact Interruption to support infrastructure Minor transient workforce/community harm Minor transient environmental harm Negligible impact on critical DECD objectives Impact can be managed through routine activities Loss of assets, adverse impact on annual revenues, costs or surplus of lower of either: o $500,000 $1million, or o 2% 5% deviation from corporate budget o 5% 15% deviation from unit/programme budget External audit management letter contains significant issues or employees Loss of assets, adverse impact on annual revenues or costs of lower of either: o < $ 500,000 or o < 2% deviation from corporate budget, or o < 5% deviation on unit/programme budget External audit raises some isolated findings Insignificant loss of assets or insignificant adverse impact on annual revenues or costs Breach of a major control but compensating controls are in operation Moderate adverse effect on customer base Effectiveness and efficiency of some major organisational elements reduced Serious injury and/or illness Moderate delays in project implementation, moderate cost and time over-runs Moderate disruption in business Failure of an enhancement control with core controls in operation Minor effect on customer base Effectiveness and efficiency of elements of the organisation is reduced First aid or minor lost time injury and/or minor OH &S liability incident/issue Minor delays and over-runs in project and programme implementation Minor disruption of business Negligible impact on customer base Negligible impact on effectiveness of the organisation Incident with or without minor injury Significant breach of code of ethics/conduct or accepted industry practices Moderate regulatory breaches / non-compliance resulting in comments in relevant inspections/reports and/or ministerial enquiries. Breach of code of ethics/conduct or accepted industry practices Minor impact to code of ethics/conduct or accepted industry practices Little or no impact to code of ethics/conduct or accepted industry practices Negative publicity or damage to reputation to a specific audience which may not have significant long-term or community effects Minor negative publicity or damage to reputation to an insignificant audience Minor unsubstantiated negative publicity or damage to reputation to an insignificant audience 12 Managing Risk in Procurement Guideline January 2015

13 Consequence APPENDIX 2 TABLE 2: DECD RISK RATING MATRIX This table may be used as a guide to analyse and assess risk ratings based on consequences (Appendix 3) and likelihood in order to prioritise risk for risk management action plan development Likelihood Rare Unlikely Possible Likely Almost Certain Control failures or repetitive risk events in business as usual Possibility of occurrence less than 5% Possibility of occurrence between 5% - 25% Possibility of occurrence between 25% - 50% Possibility of occurrence between 50%-75% Possibility of occurrence more than 75% Discrete risk events, e.g.- earthquake, loss of key personnel, failure to meet strategic objectives, etc. May occur less than once in 15 years May occur at least once in 5-15 years May occur at least once in 2-5 years May occur at least once in a year May occur multiple times in a year Catastrophic/ Critical High High High Extreme Extreme Major Moderate Moderate High High Extreme Moderate Low Moderate Moderate High High Minor Low Low Moderate Moderate High Insignificant Low Low Low Moderate Moderate From the risk rating you can then choose a course of further action for the risk. Below is a general guide to the action that might be taken. Risk Rating Extreme Risk: High Risk: Moderate Risk: Low Risk: Action required: Immediate action required Senior Management attention needed. Management responsibility must be specified Manage by routine procedures 13 Managing Risk in Procurement Guideline January 2015

14 APPENDIX 3 RISK ASSESSMENT TABLE No Risk Description (including cause of risk) Impact Description (impact/ effect if the risk eventuates) Existing Controls (Actual & Factual a control is in place, not a planned action) Control Owner Existing Control Assessment Current Level of Risk (Consequence x Likelihood) 1 Moderate (C) Possible (L) MODERATE Risk Treatment Action Plan (Approved strategies to be put in place) Treatment Owner and Treatment Due Date (for action plan) Remaining Level of Risk (Consequence x Likelihood) Minor (C) Unlikely (L) LOW Risk monitoring and reporting (e.g. Are the existing controls effective or have any failed; are treatment plans fully implemented &/or tracking to plan; and are additional measures required to manage the risk) e.g. date reviewed, controls effective, treatments delayed due to competing objectives or treatments are 90% complete. Notes: - To assess the level of risk refer Appendix 2 (Table 1 and 2). The Current Level of Risk should take into consideration the existing controls and the effectiveness of those controls. - The Remaining (Residual) Level of Risk should be an assessment based on the likely remaining level of risk once all risk treatments are implemented. Risks Assessment completed by: Date:.. Updated By: Updated On: 14 Managing Risk in Procurement Guideline January 2015

15 APPENDIX 4 - RISK TREATMENT OPTIONS Action Application Example Treatment Accept the Risk Appropriate where the impact of the risk is Manage the risk using existing procedures. minimal or insignificant and outweighs the measures, financial or otherwise, required to control or eliminate the risk. Avoid the Risk This involves deciding not to proceed or Cease the activity affected by the risk. continue with the activity likely to generate the risk (if this is practical). It should be noted that risk avoidance might well increase the significance of other risks. Reduce the Likelihood of Occurrence This involves modifying the environment to minimise the identified risk(s). When potential risk situations are identified, alternative courses of action should be evaluated to determine if the undesirable outcome could be avoided at a reasonable cost. As a general guideline, the preventative actions should cost less than expected value of exposure and/or less than the cost of the contingency plan. Review contract terms and conditions, upgrade supervisory requirements, and conduct additional project analysis. Reduce the Consequence Share the Risk This involves implementing a contingency plan (or similar actions) where preventative action is either unavailable, the cost of prevention is prohibitive or the preventative action fails. Sharing responsibility for the risk with another party, who ultimately bears some of the consequences if the risk occurs. Depending on the risk level, it is recommended that careful qualification of the third party be undertaken and contracted in advance. Contingency plan, Business Continuity Plan, alternative supplier arrangements, etc. Insurance policies or contractual agreements with third parties. 15 Managing Risk in Procurement Guideline January 2015

16 APPENDIX 5 EXAMPLE OF DETAILED RISK MONITORING TABLE Compiled by:.date:. What are the key objectives/features of the contracting project? What are the things you need to monitor to ensure that the objectives/features are achieved? Planned date e.g. monitor existing risk controls and/or the progress of implementation of risk treatments. Responsibility for action A workbook can be developed to assist in the monitoring process. The workbook should contain all relevant information relating to the contract including: Project objectives and critical success factors; Principal s and Contractor s obligations; Risk Analysis Matrix; Risk Register Table; Risk Assessment Table; Risk Treatment Table; and Risk Monitoring Table. 16 Managing Risk in Procurement Guideline January 2015