What Risk Management means in Procurement

Throughout any procuring process, Risk Management is a critical and continuous process, and appropriate risk assessment should be undertaken, reviewed and managed not only for successful procurement but also to ease accountability.

Engaging with the current  market conditions in terms of identifying the desired outcomes, risks and issues is critical. This permits suppliers to provide feedback on how the outcomes might be achieved, the risks and issues as they see them, along with feedback on timescales, feasibility and affordability. It is also best practice to ensure that suppliers are contractually required to provide line item spend details as part of the contract support. With the market research in place, all risks and issues identified should have clear mitigating actions, appropriate owners and a review.

A risk can be defined as an uncertain outcome (either positive or negative) that may affect the course of a procurement exercise at a future date. An issue is a factor affecting the development or the implementation of the commodity/service strategy at the present time. Actions are therefore immediately put in place to resolve the issue due to its urgency.

All procurements will contain risks that may impact on their progress therefore it is important to identify and assess risks in the present so that the risk can be managed to prevent it from becoming an issue.

Why is Risk Management Important?

Effective management of risk helps you to manage innovation and improve performance by contributing to:

-Increased certainty and fewer surprises.
-Better service delivery
-More effective management of change
-More efficient use of resources
-Better management at all levels through improved decision making
-Reduced waste innovation
-Management of contingent and maintenance activities

Risk Identification

The initial identification of risks and issues with the potential to impact on the objectives of a given procurement exercise is essential in terms of understanding.

Sources of risk can be divided into four categories:


Many risks will be generic across all procurement exercises conducted by an organisation however there will also be project specific risks that you must consider.

Risk Assessment

The purpose of risk assessment is to assess the probability of risks occurring and their potential impact.


Once risks have been identified and assessed they must be addressed and controlled. The response must be proportionate to the level of the risk that will have been determined as part of the risk assessment.


Risks should only be tolerated if the result of their assessment is low or very low. The cost of taking an action may be disproportionate to the potential benefit gained. This does not mean no action should be taken at all. You should continue to monitor the risk and note any changes in the situation that may result in an increased level of risk.


The purpose of ‘treating’ a risk is to reduce the risk to an acceptable level for the organisation. It is likely that a large number of risks will belong to this category. There are many courses of action an organisation could take to ‘treat’ risks.


Before deciding to transfer a risk to a third party, you should consider who is best placed to manage the risk. It may be that the risk is best managed internally within your organisation. It is also possible that transferring risk to a supplier will result in a significant cost to your organisation and this should be considered before taking this course of action. Also remember that whilst you can transfer responsibility for an action, you cannot transfer accountability.

Review & Rethink Strategy

If the assessed level of a risk is very high, you may need to reconsider your approach. In some circumstances it may be necessary to stop the current course of action and start over. It should be noted that the option to terminate activities should be exercised as a last resort, where other courses of actions have not mitigated the risk to an acceptable level. You should consider that the reason a number of activities are conducted in the public sector is because the associated risks are so great that there is no other way in which the output or outcome, which is required for the public benefit, can be achieved.

When controlling risks at the contract management stage, cooperation and dialogue between a contract manager and supplier should be actively encouraged. If suppliers feel able to share information about potential problems at the earliest opportunity then small issues can be dealt with and not escalate.

Risk Monitoring

One of the most common approaches to monitoring risks is the use of a risk register. The risk register should be set up at the start of the project and reviewed at each stage of the procurement and contract management process e.g. Strategy, SPD, ITT, Contract Award, and Contract Review Meetings. Risk monitoring should be a continuous process.