Download as xlsx, pdf, or txt
Download as xlsx, pdf, or txt
You are on page 1of 5

Contract #

Project/Contract Title:
Last Modified: 10/29/2018 16:37

Procurement Risk Register

Inherent Residual
Category of Causes / Potential Additional Treatments Target Risk
Risk ID Risk Name Description of Risk Risk Owner Impacts / Potential Impacts Likelihood Consequence Inherent Risk Existing Controls Likelihood Consequence Residual Risk
Risk Causes Required Rating
Rating Rating Rating Rating Rating Rating
Impact Rating

Stakeholders, Community Property, Assets and People (including Work,

Scale Reputation / Strategy Finances Services Legal and Compliance
and Clients Environment Health and Safety)

Negligible (1) Risk event can be All strategic objectives will Increased costs <$100k or Minimal disruption to No loss of stakeholder, Minor non-compliance with Negligible damage to Very limited/transient staff
managed within existing be completed on time. <2% (whichever is lowest) services community or client minimal impact on property and/or negligible engagement problems
resources and budget. of full year total expenses confidence operational business cost to repair / replace
No media attention and budget Core business / customer processes asset. No threat to critical skills or
negligible impact on systems unavailable for < business knowledge
reputation Revenue leakage <3% of 1hr Rare legislative non- Negligible impact on local
total revenue budget compliance, little or no environment Minor injury, first aid
Little or no data loss effect on business treatment, minimal or no
Capital under or over- operations lost work time
spend <3% Little or no impact to data
accessibility or integrity

Minor (2) Risk event has a short-term Some elements of the Increased costs $100K to Some disruption to services May create some short- Regulatory non-compliance Minor damage to property Minor staff engagement
impact and can be resolved strategic objectives will be <$500k or 2% to <5% provided by a business term, temporary concern requiring local staff effort to and/or minor cost to repair / problems
within existing resources delayed. (whichever is lowest) of full unit(s) or at a site amongst stakeholders or rectify replace asset.
and budget. year total expenses budget, clients. Short-term loss of skills and
Readily controlled negative with minor impacts Core business systems Isolated legislative non- Minor and/or short-term business knowledge, effect
impact on reputation. unavailable for between 1- Short term poor compliance, effect impact on local absorbed within routine
Revenue leakage 3% to 3hrs stakeholder, community managed at operational environment operations
Minor level adverse <10% of total revenue and/or client outcomes level
publicity in local media budget Little or no data loss Moderate injury, medical
(including social media) treatment and lost work
and no broader media Capital under or over- Minor impact to data time resulting in
reporting spend 3% to <10% accessibility or integrity compensation claim

Moderate (3) Risk event may affect the Some elements of strategic Increased costs > $500K to Disruption to services May create temporary loss Regulatory non-compliance Moderate damage to Key person loss
achievement of some objectives will not be <$5m or >5% to 8% provided by an operational of credibility amongst requiring management property and/or moderate
objectives and can be achieved. (whichever is lowest) of full unit or site, and affecting stakeholders and clients. effort to rectify costs to repair / replace Loss of a critical skill, or
resolved through the year total expenses budget, other operational units asset. some loss of skills and
reassignment of resources. Limited adverse publicity with significant impacts Temporary poor Control failures resulting in corporate knowledge with
across all forms of media. Core business systems stakeholder, community frequent legislative non- Moderate and/or long-term programs/strategies
Revenue leakage >10% to unavailable for between 3- and/or client outcomes. compliance impact on local compromised
Ministerial enquiries and/or <15% of total revenue 12hrs environment
verbal advice required to budget Significant effect on DFSI Some industrial disputes
Minister’s office or Treasury Non-Core Systems business operations
Capital under or over- unavailable for 1-5 days requiring changes to Serious injury resulting in
spend >10% to <15% business processes hospitalisation and/or
Loss of data of up to 2 significant compensation or
hours public liability claim

Major interruption to data

accessibility or integrity
Major (4) Risk event would disrupt A strategic objective will notIncreased costs $5m to Core business systems Serious loss of credibility Regulatory non-compliance Major damage to property Loss of critical skills and
business activities and may be achieved. <$10m, or 8% to <12% unavailable for between with Ministers office and/or resulting in notification by a and/or substantial costs to key people,
threaten the achievement (whichever is lowest) of full 13hrs – 2 days key stakeholders and/or regulating authority repair / replace asset. programs/strategies cannot
of objectives. State-wide and/or national year total expenses budget, clients. be delivered
adverse publicity with major DFSI wide Data loss 2hrs-3days Grossly negligent breach of Major impact on local and
impact Ongoing, serious poor legislation surrounding environments Capacity to attract quality
Lead and/or major story in Significant interruption or stakeholder, community staff is compromised
or across all forms of media Revenue leakage 15% to inability to access data, or and/or outcomes. Formal investigations,
<20% of total revenue damage to integrity of data disciplinary action, Major industrial disputes
Written advice and follow budget. ministerial involvement
up with Treasury or Non-Core Systems Potential for multiple
Minister’s office. Capital under or over- unavailable for >5 days injuries
spend>15% to <20%
Dangerous occurrence
requiring notification to
Safework NSW

Severe (5) Risk event significantly More than one strategic Increased costs $10m+ or Core business systems Critical long-term loss of Significant non-compliance Catastrophic damage to Significant loss of critical
threatens DFSI’s functions objective will not be 12%+ of full year total unavailable for >2 days credibility with Ministers which may result in fine to property and/or significant skills, key people and
and the achievement of achieved. expenses budget office and/or key agency and/or prosecution costs to repair / replace business knowledge,
objectives. Loss of data >3 days stakeholders and/or clients asset. programs/strategies are not
Repeated lead and/or Revenue leakage 20%+ of Widespread serious or delivered
major story across all forms total revenue budget Critical loss of access to Significant, ongoing poor wilful breach Severe impact on local and
of media. data, or critical damage to stakeholder, community surrounding environments Significant long-term
Capital under or over- integrity of data and/or client outcomes Prosecutions, dismissals industrial disputes involving
Prolonged negative spend 20%+ and Parliamentary scrutiny multiple unions/large staff
ministerial attention. numbers

Royal Commission, inquiry, Catastrophic event

or major ICAC involving multiple injuries or
investigation/hearing or fatalities and/or dangerous
adverse and published occurrence from
Auditor-General findings. extensive/catastrophic
damage to property and
Likelihood Rating
Likelihood Rating Broad Description Frequency Probability
Almost Certain The event will almost certainly occur within next twelve months Risk event could occur up to several times within the next twelve months or during > 95%
(5) - Complex process with non-effective / no controls in place project life, whichever is shorter.
- Impacting factors are outside of DFSI control

Likely The event is likely to occur within next twelve months Risk event is likely to occur once in the next twelve months or during project life, 70% to 95%
(4) - Previous audits/reports/reviews indicate a level of non-compliance whichever is shorter.
- Controls are inadequate to mitigate the risk and require improvement
- Impacting factors are outside of DFSI control

Possible The event could occur in some circumstances Risk event may occur during the next twelve months or during project life, whichever 30% to 70%
(3) - Previous audits/reports/reviews indicate a level of non-compliance is shorter.
- Controls are reasonable/adequate to mitigate the risk but may still require improvement
- Some impacting factors may be outside of DFSI control

Unlikely The event is not expected to occur during normal operations. Risk event is unlikely to occur in the next twelve months or during project life, 5% to 30%
(2) - The event may occur but is unlikely to occur within next twelve months whichever is shorter
- Process is non-complex
- Controls are in place and are mostly effective

Rare The event may occur only in exceptional circumstances. Risk event is not expected to occur for some time or during project life, whichever is < 5%
(1) - No previous incidence of noncompliance shorter
- Controls are effective and are being monitored regularly

Risk Level
Negligible Minor Moderate Major Severe
Almost Certain Medium Medium High Extreme Extreme
Likelihood Likely Low Medium High High Extreme
Possible Low Medium Medium High High
Unlikely Low Low Medium Medium High
Rare Low Low Medium Medium High
Risk Analysis - Instructions
Identification, assessment and treatment of risks are integral to the project, governance and sourcing stages of the procurement
process. By identifying potential risks during the planning stage, decision-makers can formulate a plan to mitigate them. The effort
expended in managing risks in a procurement process should be consistent with the estimated procurement cost and complexity,
significance and nature of the process.

When identifying the risks and potential treatments to mittigate them, those with relevant expertise should be consulted. It is the nature
of risk and risk management that, sometimes, unexpected problems occur. When this happens it is important that the reasons and
circumstances are identified and documented, and taken into account with future risk analyses including updating guidance
documents accordingly.

All risk management decisions including risk identification, assessment and management should be recorded. This provides an
accountability trail.


1. Complete the table with the appropriate risks. Classify each risk in terms of impact and likelihood. Certain cells
have dropdown menus to select from - they are shown below with guidance for each selection.

Impact Likelihood
Impact Increases as Likelihood increases
move up list as move up list

2. The Inherent Risk Ratings and Residual Risk Ratings will be automatically calculated by the Worksheet.

3. Enter a Target Risk Rating and determine whether additional treatments are required to achieve the target

Risk mittigation are those activities that are undertaken to affect the likelihood and/or impact and thereby modify
the inherent risk. This may include risk sharing; wholly or partially transferring risk to another party or avoiding
the risk by not undertaking the particular activity. The result is to bring the risk level to a level acceptable. For
those risks that can be treated or mitigated through insurance, refer to the Insurance Guidelines

You might also like