Analyse risks

Understand high-level risk considerations to consider when planning a procurement.

What is risk analysis?

Risk is the chance of something happening that will have an impact on objectives. It is measured in terms of consequences and likelihood.

A risk analysis identifies what can go wrong and the consequences if it does. It also looks at strategies to reduce or manage the risk.

A risk management plan:

  • summarises identified risks in terms of their likelihood and potential impact
  • prioritises risks for management
  • describes how the risks will be managed or treated
  • allocates responsibility for managing each risk

Controls or treatments for risks are implemented during a procurement through:

  • tender and contract documentation
  • evaluation criteria and method set out in the evaluation plan
  • contract management, set out in the contract management plan

Risks need to be continually analysed. Update the risk management plan after each step in a purchase and later when managing a contract.

How to analyse risk

Step 1: Training in risk management

Are the staff conducting the risk analysis appropriately trained in risk management techniques?

  • If yes, go to Step 2.
  • If no, arrange risk management training or seek help from an experienced risk manager before continuing.

Step 2: Is the procurement part of a larger project?

Is this purchase part of a larger project that incorporates risk management planning?

  • If yes, go to Step 3.
  • If no, go to Step 4.

Step 3: Review project risk management plan

Review the risk management framework for the project to identify:

  • acceptable risk levels
  • preferred risk management approaches
  • the policy on insurance

Step 4: Context for the purchase

Establish the context of the purchase, such as:

  • internal and external environment
  • goals and objectives
  • strategies to be implemented

Step 5: Identify risk factors

Identify what can go wrong. These are known as 'risk factors'.

Step 6: Identify how a risk can happen

For each risk factor, identify how it could happen.

Step 7: Identify how likely the risk may occur

For each risk factor, identify how likely it is to happen, using the following ratings:

  • remote
  • unlikely
  • possible
  • likely
  • almost certain

Step 8: Identify consequences if the risk happens

For each risk factor, identify the consequences for cost, schedule or user acceptability if it does happen. Use the following ratings:

  • insignificant
  • minor
  • moderate
  • major
  • extreme

Step 9: Determine the risk level

For each risk factor, determine the level of risk. The level of risk is a combination of the likelihood of occurrence and the consequence.

Use the following ratings:

  • low
  • moderate
  • significant
  • high

Step 10: Allocate priority for managing the risk

For each risk factor, allocate a priority, using the following ratings:

  1. must be managed at all costs
  2. must be managed at reasonable cost
  3. should be managed if possible
  4. does not warrant management; we can live with it if it happens

Step 11: Allocate responsibility to manage the risk

For each risk factor of priority 1, 2 and 3, identify who is best placed to manage it.

Step 12: Determine how to treat the risk

For each risk factor of priority 1, 2 and 3, identify an appropriate way to treat it. Consider the following options:

  • accept the risk and wear any consequences
  • reduce the likelihood of it occurring
  • reduce its consequence
  • share it with someone else, typically through insurance, but also by allocating some responsibility to the supplier

Step 13: Record decisions

Document all of the above decisions in a risk management plan.

Note: Procurement risk management is usually incorporated in the risk management plan for the project of which the procurement is a part.

Step 14: Record in draft procurement plan

Either, record information about risks in the draft procurement plan, or attach the risk management plan.

See, Prepare a procurement plan.


Manage conflicts of interest

Manage probity – consider issues raised at Probity issues by stage and task.

Conflicts of interest can arise during this task. Identify, declare and manage these.

Address Agency rules

Follow Agency specific rules on when to seek an approval and who can give the approval.

Follow Agency specific rules for recording decisions and storing records.