Why perform risk management in procurement ?
Risk Management is a critical element of procurement management that is often overlooked.
You wouldn’t buy a used car from someone without performing some form of risk management beforehand, right ? such as verifying vehicle history, damages, mileage, conditions, and probably have a plan B to buy another car.
But way too often in the corporate world, tasks are rushed and solutions deployed without proper risk management, sometimes risks have not even been identified, and way too often that’s how projects fail when (un)expected problems come up and believe me problems always come up… And if a small voice behind your head was telling all this time “what if xyz occurs…?” then make sure to apply next time the below 4 simple steps to manage risks in your project.
Identify the risks
The easiest way to identify risks is to simply have a brainstorming session of all the possible risks. Remember risks can be positive (opportunities) or negative (threats), or if you prefer, a positive risk is one that generates a positive monetary outcome, while a negative risk is one that costs you money.
You should remember 2 rules about brainstorming:
- there are no stupid ideas when it comes to identifying risk. Better be safe than sorry.
- Make sure that everyone participating in the projects is invited to share their ideas. That means inviting internal and external stakeholders, especially in scenarios when you procure from outside.
You don’t want to end up realizing later that a critical issue is jeopardizing your entire project because you forgot to ask your supplier if it fits the lead time or perhaps because you thought it would be silly to ask about something that was unclear to you months ago.
All right you have now a list of risks, the next step is to assign attributes to each risk. This simply means to understand who it may affect, what causes might make the risk happen, and any other relevant criterias’ that may useful to you
Finally, remember to keep all the risks organized in a risk register. The simplest way is to use a spreadsheet. Nothing worse than not being able to find back the list of risks. This is a living document, we will come back to it shortly in this article.
Tip: you can use my free template at the end of this article.
Assessing and classifying the risks
This part involves 2 activities, one mandatory, one optional for significant risks only.
Mandatory: Performing a qualitative risk assessment, which involves discussions with subject matter experts and persons closest to a given process
Optional: Performing a quantitative risk assessment, which involves doing further analysis
Develop risk response plan
When developing a risk response plan, it is important to have in mind the organization’s attitude towards risk. Each response should be tailored to the specific risk and category of purchase. You don’t have the same approach to risk management when you are in the pharmaceutical industry procuring a critical component for a new drug compared to your everyday office supplies purchase.
There are a few must have in a risk response plan:
- What – what to do for each risk ? the specific steps to be taken
- When – when to do it ? the trigger event must be well defined, is it a specific metric that should be monitored closely or if a specific event occurs ?
- Who – who is the person in charge and accountable to deploy the risk response plan
- Approval – this is to ensure that the risk response plan is officially approved, in a company this means to go through the proper workflow approval process and the funds will need to be properly allocated to each risk
All those elements should be added to the risk register where all the risks were previously identified.
Executing Risk Response Plan
Now we are ready to implement the planned risk response to specified triggering events. In order terms, we execute what we previously planned – we plan what we do and we do what we plan.
It is important to always analyze the variance from expected results to see how effective risk responses are and identify new risks or triggering events. This is part of continuous improvement and lessons learned. A topic for another article.
Finally, as mentioned earlier, the risk register is a living document. It should be reviewed periodically in the following areas:
- Identifying new risks as the project is being developed
- Defining new planned responses for those new risks
- Reassessing existing risks as the project and context evolves
- Determining the outcome of responses to ensure it fulfilled it original purpose
- Removing risks that are no longer relevant in order to keep our register up-to-date
Proper risk management is considered best practice and should be applied to all projects and disciplines.
Remember that often risks identified will not only impact procurement, but also departments such as quality, logistics, engineering, so it is important to involve all people and ideally have a cross-functional approach to risks.
The Procurement Risk Register
The risk register is your most important document when performing risk management.
In its simplest form, a risk register is a living iterative document, usually a spreadsheet, where we record all of our risks identified, qualitative risk analysis (mandatory), quantitative risk analysis (optional) and risk response plans.
This document should be widely shared, often reviewed, and always up-to-date.
When the doomsday scenario is coming (e.g. supplier delivery is delayed), it is most likely not the time to ask yourself what is my risk response plan ? This should have happened before, otherwise it’s called firefighting, and if you are reading this, chances are you didn’t sign up to be a firefighter but a procurement professional. As I always say, you plan what you do, and you do what you plan.
But why shouldn’t you keep all this information in your brain instead ? First, telepathy doesn’t exist yet, so good luck
So keep it easy, simple, and accessible.
What to put in my risk register ?
Commonly used attributes associated to risk are:
- Cause: a cause is usually given when a risk is identified, this cause may change upon further investigation.
- Rating: this is a function of probability times impact. This allows also to monitor more closely risks with higher rating
- Triggering event: what is the event that will make the risk materialize.
- Response: there are 4 types of possible responses to risks
- Accept, sometimes the best decision is to take no action if the risk probability or impact is low or if the cost to proactively deal with the risk is too high and therefore not worth it
- avoid, this response involves purposely altering or modifying a plan, feature, specification in order to eliminate the risk
- transfer, this implies moving the risks to a third party. It can be done by purchasing insurance or having an agreement to contractually transfer the risk to a supplier.
- Mitigate, this is a prevent measure to reduce the probability and/or impact of identified risks.
Conclusion
Practicing risk management in procurement is essential, it helps to ensure that your project will succeed by having the risks clearly identified, assessed, and monitored. In other words, it helps you as a procurement professional to have things under control instead of firefighting the inevitable issues that will arise.
To take an analogy, It’s way too late to come up with a plan when the house is already burning, it’s always a better choice to prevent the house from burning by identifying the potential risks, and have the proper solutions in place such as installing a fire alarm, sprinklers, and having fire extinguishers ready to be used. If the unfortunate event of a fire materializes, you just need to execute the risk management plan, and you will feel confident because you prepared for it.