Identifying and Assessing Risk
In part one of our “Managing Contract Risk in Procurement” series, we provided a general introduction regarding the importance of analysing the risks associated with the product or service to be provided prior to entering into the contract. In this installment we deal with the actual identification and assessment of those risks.
What is Risk?
In its pure form, a risk is considered to be an undesirable event that could adversely impact on the objectives of the business. That said, not all risk is considered to be negative. Risk management is not necessarily only concerned with the pre-empting and planning of negative risk; it also includes exploiting opportunities considered essential for the development and growth of the business.
All projects (however simple they may be considered by the parties performing them) contain adverse risk. Undoubtedly, as the human race advances in terms of globalisation and the use of technologies, projects are becoming far more complex. As such, the contracts that govern them are becoming increasingly complicated, having to deal with inter-dependencies between more parties (sub-contractors, partners, financiers, clients), the use of new technologies, the increased number of locations where the product or services are to be performed, and the rapidly evolving requirements from the stakeholders concerned.
The assessment of risk inherent in those projects must be undertaken before finalising procurement, appointing suppliers/contractors and entering into the required contracts. The role of risk management has never been more important; and its importance will only increase further the more complicated projects become.
Risk Management
Risk management is a key part of project management. Identifying and managing risk is paramount in successful projects; all risks associated with performing a particular contract require management accordingly. The best way in which to do so is to make sure that the actual drafting of the contract is undertaken in close liaison with the actual project team involved in the particular project.
Once contracts have been executed, the risk identification process has de facto been completed and the risk management, in terms of monitoring and reacting, pass over to the project team tasked with the performance of that specific project.
That said, however, an effective contracts team would continue the process of risk identification, working closely with the project team, in order to make sure, at the very least, the supplier/contractor is fulfilling its contractual entitlements. In construction projects, for example, effective project managers always have a copy of the contractual documents to hand and are aware of their content. Having an effective ‘back-up’ contracts team to assist in identifying indicators that a risk is likely to occur (‘risk triggers’) throughout the project is likely to lead to effective pro-active management attention and, thus, provide the most opportunity to minimise or eradicate the occurrence of that risk.
Identifying and Assessing Risk
The involvement of all stakeholders (the client, project sponsor, project manager & project team, sub-contractors, and the sales, finance, and contracts & legal teams - albeit not all at the same time or meeting) will enable all perspectives of their associated risks with the intended project to be ascertained.
Once obtained, they can then be characterised as to their severity and analysed accordingly in order to determine which risks will require greater attention by being specifically addressed in the contractual terms. Probability of a risk occurring and its likely impact on the performance of the project are the two factors required to be identified when characterising risk severity. A Standard Risk Severity Chart, as shown in Figure 1 below, is useful in characterising the severity of the associated risk.
The level of risk management, and therefore contractual planning, will, obviously, depend on the perceived severity of the associated risk. High severity risks will require thorough response planning and contractual oversight. Those risks which are considered to be “Catastrophic” and “Frequent” (i.e., the highest severity) are likely to result in the organisation declining to enter into the project which, in risk management terms, would be considered to be a successful, or correct, outcome.
Such severity, throughout the performance of the project, is, of course, likely to change (i.e., some risks may commence as being “Negligible” but escalate to become “Significant”, for example, and vice-versa). As such, risk severity charts will require updating throughout the life of the particular project in order to correspond to the monitored severity of the particular risk.
Figure 1: Standard Risk Severity Chart (Risk Severity = Probability x Impact)
Once the severity of the intended project’s associated risks have been characterised, they can then be analysed (by adopting qualitative methods or risk assessment, such as ‘Risk Filtering’) and ranked in the form of a “Risk Register”, which sets out their characteristics and, importantly, their priority.
The completion of such a register will then provide information to the risk management team (comprising the contracts team and the project manager/project team) identifying the risk, characterising the risk (such as whether it is a time schedule risk, cost risk, sub-contractor involvement risk, etc.), establishing the risk’s severity (probability x impact from the Risk Severity Chart), and enabling an intended response to such a risk, and a proposed mitigation strategy, to be adopted in order to deal with the risk as and when it arises.
Figure 2: Risk Register
Once such a process has been completed, it can be ascertained which of the risks are required to be specifically and adequately addressed in the contract terms to be agreed between the parties.
The contracts team will then commence the process of preparing a contract (and the subsequent negotiations with the relevant party/stakeholder) knowing which standard and particular conditions (including those clauses described in Part 2 of this series) will form part of the final terms of the contract.
In the penultimate installment of our Managing Contract Risk series next month, we will be exploring how best to develop and implement risk mitigation strategies when concluding, and performing, procurement contracts.