Manage risk in procurement: Goods and services guide

What is risk in procurement?

Risk in procurement is the impact of uncertainty on value for money.

Risk is a factor in value for money. Risk events may impact any of the other financial and non-financial factors in value for money: fitness for purpose, supplier capability, broader government objectives, total cost of ownership, and timeliness.

Risk events may have negative or positive (opportunity) impacts. They may occur within or external to an Agency, and at any time in the procurement lifecycle, including after a contract ends.

How is risk managed in Victorian Government?

There are risk management frameworks and processes at whole-of-government and Agency levels for managing risk generally, and procurement specifically.

Whole of government

The whole-of-government level includes:

The Victorian Managed Insurance Authority(opens in a new window) (VMIA) is responsible for the VGRMF. The Victorian Government Risk Management Framework (VGRMF)(opens in a new window) describes the minimum risk management requirements to manage risk effectively.
The VMIA provides:
- practical guidance for managing risk(opens in a new window) (general, not procurement-specific)
- expert advice on insurances
Goods and services procurement policies help agencies to manage many risks that directly or indirectly impact a procurement. The policies are supported by guides, tools, and templates. For example, the invitation to supply(opens in a new window) and standard contract templates(opens in a new window) include clauses to manage risks during market approach and in contract.
These resources are available on Buying for Victoria(opens in a new window) and may be useful in addition to Agency resources.

Agency risk management framework

At an Agency level, risk management may include:

risk management governance, processes, and audit
procurement governance, strategy, policies, and processes
category management (if applicable)
risk management in individual procurements during planning, market approach, and in contract

Use your agency's procurement policies and processes for procurements.

Risk may be managed at category level. Check whether your procurement can benefit from this head-start on risk planning.

In some procurements, Agencies may seek support from their broader risk management framework or the whole-of-government framework.

Who is accountable and responsible for managing risks?

The financial delegate is accountable for demonstrating value for money, which includes risk.

Decision makers, managers, and team members may have formal responsibilities according to the Agency’s policies and the governance structure for a procurement. The sourcing and contract managers typically hold primary responsibility for managing risk in their respective stages of a procurement.

Responsibilities should be allocated for:

maintaining a risk register
implementing each risk treatment

A dedicated risk manager may be appointed for high complexity procurements.

Informally, anyone may identify risks and propose treatments.

What is the process for managing risk in a procurement?

The risk management process for a procurement involves: Plan; Assess; Treat; and Record, Monitor, Review and Report.

Process for managing risk in a procurement

The process of Plan, Assess, and Treat risk may be repeated at key stages in the procurement lifecycle; for example:

market analysis and review
offer evaluation and selection (prior to signing a contract)
annual contract reviews, variation processes, and exercising options to extend

The process may also be repeated when the risk profile of a procurement changes significantly. For example, a natural disaster, war, or pandemic may disrupt supply chains and change the risk profile.

Plan risk

Plan to manage risk. Do this when developing the project plan for a procurement.

Risk may arise early in the procurement process – be prepared.

Scale risk planning according to the complexity of the procurement.

A plan may include:

context
responsibilities
activities
schedule
stakeholders

Assess risk

Assessing risk involves three steps: identify, analyse, and evaluate risk.

When assessing risk:

involve stakeholders
consider engaging experts such as technical specialists, risk experts, researchers, and lawyers
review risks and lessons learned from similar procurements

Identify

Identify risk events that could impact the procurement negatively or positively.

Ask "What could go wrong? What could go better? What could cause it?"

Risk events may occur within the Agency or external to it.

In the Agency, risks may occur in areas such as:

the procurement business need, scope, and specifications
resources allocated and available to the procurement:
- capability and capacity of people, including specialist or professional expertise
- budget
the procurement schedule/timeframes
procurement governance, policies, processes, and systems
internal stakeholders
systems and process integration
information security

In the external environment, risks may impact the market, suppliers, and supply chains. For complex procurements, it may be helpful to brainstorm scenarios using methodologies such as SWOT, PESTLE, and PPRACKIF analysis:

SWOT stands for strengths, weaknesses, opportunities and threats - opportunities and threats are positive and negative risk events by another name
PESTLE stands for Political, Economic, Sociological, Technological, Legal and Environmental
PPRACKIF stands for People, Partnerships, Reputation, Agility, Culture, Knowledge, Information and document management, Finances

Analyse

Ask "How likely is it? What would be the impact on value for money?"

The impact may be on one or more value for money factors: fitness for purpose, supplier capability, broader government objectives, total cost of ownership, and timeliness.

Where more than one impact is possible. Select the one that has the highest impact or register different impacts as separate risks.

Evaluate

To evaluate risk, determine the likelihood and the impact, and then select the appropriate initial risk rating. The initial risk rating is the level of risk prior to treating the risk. [Mathematically, multiply likelihood and impact to get the rating score].

Use your Agency’s risk evaluation matrix.

Simplified risk evaluation matrix. Alternatively, below is a simplified approach using two evaluation matrices for evaluating negative and positive impacts respectively:

Simplified risk evaluation matrix: Negative

Download 'Simplified risk evaluation matrix: Negative'

Simplified risk evaluation matrix: Positive

Download 'Simplified risk evaluation matrix: Positive'

The Manage risk in procurement: Toolkit(opens in a new window) provides these risk evaluation matrices.

Rating descriptions

Descriptions for ratings assist with application and promote consistency. Use descriptions that are meaningful. Consider the examples below.

- Unlikely – not expected, 0 - 40% probability
- Possible – may occur, 41 - 60% probability
- Likely – expected once, 61 - 80% probability
- Almost certain – may occur more than once, 81 - 100% probability
- Minor – low short-term impact manageable within existing resources and budget
- Moderate – significant medium-term impact on some objectives
- Major – strong long-term impact on objectives; may impact other agencies or the State of Victoria
- Low – acceptable; treat within budget if the benefit exceeds the cost; monitor periodically
- Medium – acceptable; treat within budget if the benefit exceeds the cost; monitor routinely
- High – unacceptable in most circumstances; avoid, transfer, or treat to low or medium residual risk; escalate for approval if residual risk remains high; allocate contingency (if applicable); monitor closely
- Extreme – unacceptable; avoid, transfer, or treat to low, medium or high residual risk; escalate for approval if residual remains high; allocate contingency (if applicable); monitor closely
- Low – desirable; treat within budget if the benefits exceeds the cost; monitor periodically
- Medium – desirable; treat within budget if the benefit exceeds the cost; monitor routinely
- High – highly desirable; escalate for approval to allocate contingency (if applicable); monitor closely
- Extreme – extremely desirable; escalate for approval to allocate contingency or increase funding (if applicable); monitor closely

Treat risk

Treat risk by selecting and implementing measures to change the likelihood and impact of initial risks to an acceptable level of residual risk.

Steps:

consider the effectiveness of current controls (from whole-of-government and Agency levels)
develop treatments:
- accept
- avoid
- transfer (including share)
- reduce or increase
assess residual risk
implement treatments

Treatments may be applied before a risk event occurs, after the risk event occurs, or both.

Risk treatments should be cost-effective, proportionate, and appropriate for the Agency's risk appetite and resources.

Efficiencies can be gained where a treatment is effective for multiple risks.

Consider performance measures to evaluate the effectiveness of treatments.

Record, monitor, review and report

Record, monitor, review, and report risk functions occur throughout the procurement process. For more detail below.

Record the risks from procurement project planning to contract closure (or disposal, whichever is the final activity).
Records must be kept to demonstrate value for money.
Records should be sufficient to allow someone to reconstruct the key elements of the procurement to understand what was done and why.
The risk plan and risk register are key records for risk, and risk decisions (including escalations). These documents may be included with other documents.
The Manage risk in procurement: Toolkit provides a risk register template.
Risk plan. Review the risk plan and update it as more information is gained about the procurement and risk. At a minimum, review the plan at:
- the end of the planning stage before commencing the market approach
- at the end of the market approach stage before executing the contract
Risk register. Review the risk register at key milestones or periodically (for example monthly or quarterly) until the contract is signed. Once in contract, review the risk register at least annually.
When reviewing the register, consider:
- changes to the procurement objectives, specifications, scope, and budget
- changes in the internal and external environment
- risks that can be closed because the procurement is past the point where they could occur
- new or emerging risks
- the effectiveness of controls and treatments, and any improvements to be made
Report risk as required by the Agency's risk management process. Include details in the procurement risk plan.
Risk should be reported as part of procurement documents submitted for approval or oversight, such as the market approach plan, the offer selection report, contract approval, contract reviews, contract variations, and exercising options to extend.
Check if your Agency has a risk reporting template. A risk register may be useful for reporting risk.

Scale risk management to complexity and risk

The complexity assessment done at the start of a procurement activity drives the scale of procurement processes, including risk management.

Complexity serves as a proxy for risk until risk is assessed. Once risk events are assessed and the risk profile is confirmed, risk management can be adjusted as necessary.

The same risk management process applies across the range of complexity from simple to strategic procurement. However, the level of detail and effort increases as complexity and risk increase. Indicative scaling of risk management is shown in the accordion below.

Simple procurement is buying routine, standardised goods and services of low value and risk. A simplified, streamlined buying process may apply where the Agency's need is well-defined, and the requirements are straightforward for suppliers to deliver.
Simple procurement is the lowest level of complexity within the transactional quadrant. It is likely to be low risk. The informal procurement processes that are characteristic of simple procurement are mirrored in how risk is managed.
Plan:
- Plan to assess and treat up to five risk events before approaching the market.
- Plan to review risks when selecting an offer prior to awarding a contract.
- Stakeholders:
  - manager
  - users
  - staff involved in a previous or current procurement for the same or similar needs
Assess:
- Engage stakeholders and use the risk evaluation matrix.
- Assess Agency and market risks.
Treat:
- Treat low risks where there is a net benefit, and any medium or higher risks.
Record, monitor, review & report:
- Records may be a section in an email, a risk register, or the Agency's template/form.
- Monitor and respond to risks in contract.
- Review risks when selecting an offer prior to awarding a contract.
- Report risks to the relevant manager or financial delegate as part of approval to accept the preferred offer and award the contract.
Goods and services policies assess complexity as transactional, leveraged, focused and strategic. Agencies may alternatively assess complexity as low, medium or high. Typically, transactional is low complexity; leveraged and focused are medium complexity; and strategic is high complexity.
Plan:
- Outline (lower complexity) or detail (higher complexity) the risk management process and deliverables for the procurement, such as responsibilities, activities, schedule, and stakeholders.
- Outline/detail use of risk assessment tools, a risk register, and risk reporting.
- Plan to review risks prior to awarding the contract, annually in contract (if applicable), for varying contracts, and for exercising options to extend.
- Include sufficient detail in the plan so that everyone involved knows what they need to do, how to do it, and when.
- Stakeholders:
  - the sponsor and financial delegate
  - users
  - staff involved in a similar procurement
  - other Agency experts such as legal, finance, health and safety
  - external experts (higher complexities)
Assess:
- Engage stakeholders and use the risk evaluation matrix.
- Assess Agency, market, and broader external risks.
Treat:
- Treat low risks where there is a net benefit, and any medium or higher risks.
Record, monitor, review & report:
- Record the risk plan:
  - lower complexity – as a section in the project plan for the procurement as a few paragraphs or a ‘one pager’ in bullet point format
  - higher complexity – a detailed risk plan attached to the project plan
- Monitor and respond to emerging risks throughout the procurement, and escalate as necessary.
- Formally monitor risks at contract performance meetings with the supplier.
- Review the risk plan as scheduled and if the risk profile changes significantly
- Use a risk register to report risk when seeking approvals from the financial delegate, and other procurement or risk governance committees or boards to:
  - approach the market
  - accept the preferred offer and award the contract
  - vary the contract
  - exercise options to extend
- Use a risk register to report risk in annual contract reviews.

Manage risk in supply chains

What is a supply chain?

A supply chain comprises the people, businesses, resources, and activities to produce and provide goods or services to a customer. It is a connected series of inputs and activities.

A supply chain may include labour, raw materials, energy, research and development, design, systems, information, facilities, security, manufacturing, transport, warehousing, sales, delivery, installation, integration, training, maintenance, and repair.

A supply chain may be complex, including:

multiple suppliers
many different raw materials as inputs
components or subsystems manufactured or assembled at multiple facilities
more than one form of transport may be used for multiple transport legs (such as road - rail - port - road)
manufacturers or wholesalers may sell direct or through an agent, distributor or retailer
international elements (political, legal, language and culture, time zones, export/import regulations)

Why manage risk in supply chains?

Manage risk in supply chains to achieve value for money.

Risk in supply chains may have negative impacts. For example, geopolitical factors cause transport of finished goods to take a longer route, delaying delivery of goods and increasing costs.

Risk in supply chains may also have positive impacts. For example, exchange rate uncertainty may benefit an Agency where the exchange rate changes to make imported goods cheaper.

When managing supply chain risk, it may be possible to turn a negative impact to being a positive impact. For example, negative impacts of uncertainties in overseas supply chains may be treated by using local supply chains instead. This may reduce negative impacts and deliver positive economic and social impacts.

How to manage risk in supply chains?

Manage risk in supply chains the same way as any other risk – apply the standard risk management process.

When starting the procurement, category plans may provide detail on supply chain complexity and risk. If not, plan to manage supply chain risk based on the complexity assessment for the procurement.

During market analysis and review, analyse the market’s supply chains and assess the risks. This will inform how to approach the market and what to include in the invitation to supply. Consider including questions for suppliers about risk in their supply chains and how they will manage it.

Once offers have been received from suppliers, and evaluation commences, assess the risk in the supply chains for each offer/supplier. After assessing the risk, treat that risk in negotiations and in the contract as appropriate.

The contract should specify buyer and supplier responsibilities for managing risk. For example, the standard goods and services contract templates have clauses covering responsibilities for subcontracting.

Consider workshopping risk, including supply chain risk, with the preferred supplier prior to contract award. This may enable clear risk allocation and responsibilities for buyer and supplier to be costed and included in the contract.

Once the contract commences, monitor and review risk in the supply chain. Monitor the supplier’s performance of its supply chain risk management responsibilities.

When risk events occur, seek assurances that the supplier is responding effectively. There may be actions that the buyer can take independent of the supplier or to assist the supplier with recovery. Be empathetic, and treat the supplier fairly and respectfully. Collaborate and exercise contractual rights as appropriate. Bear in mind that achieving an effective response is in both parties’ interests.

Tools and support

Access a document version of this guide in the Toolkit and library(opens in a new window).

This guide is supported by:

Manage risk in procurement: Toolkit(opens in a new window)
Manage risk in procurement: Training course (coming soon)

For more information about how to manage risk in goods and services procurement, please contact the goods and services policy team.

Updated 10 July 2025