Contract #

Project/Contract Title:
Program:
Last Modified: 10/29/2018 16:37

Procurement Risk Register

Register
Inherent Residual
Category of Causes / Potential Additional Treatments Target Risk
Risk ID Risk Name Description of Risk Risk Owner Impacts / Potential Impacts Likelihood Consequence Inherent Risk Existing Controls Likelihood Consequence Residual Risk
Risk Causes Required Rating
Rating Rating Rating Rating Rating Rating
 Impact Rating
Scale Reputation / Strategy
Negligible (1) Risk event can be All strategic objectives will
managed within existing be completed on time.
resources and budget.
No media attention and
negligible impact on
reputation
Minor (2) Risk event has a short-term Some elements of the
impact and can be resolved strategic objectives will be
within existing resources delayed.
and budget.
Readily controlled negative
impact on reputation.
Minor level adverse
publicity in local media
(including social media)
and no broader media
reporting
Moderate (3) Risk event may affect the Some elements of strategic Increased costs > $500K to Disruption to services
achievement of some objectives will not be
objectives and can be achieved.
resolved through the
reassignment of resources. Limited adverse publicity
across all forms of media.
Ministerial enquiries and/or <15% of total revenue
verbal advice required to
Minister’s office or Treasury
Stakeholders, Community Property, Assets and People (including Work,
Finances Services Legal and Compliance
and Clients Environment Health and Safety)
Increased costs <$100k or Minimal disruption to No loss of stakeholder, Minor non-compliance with Negligible damage to Very limited/transient staff
<2% (whichever is lowest) services community or client minimal impact on property and/or negligible engagement problems
of full year total expenses confidence operational business cost to repair / replace
budget Core business / customer processes asset. No threat to critical skills or
systems unavailable for < business knowledge
Revenue leakage <3% of 1hr Rare legislative non- Negligible impact on local
total revenue budget compliance, little or no environment Minor injury, first aid
Little or no data loss effect on business treatment, minimal or no
Capital under or over- operations lost work time
spend <3% Little or no impact to data
accessibility or integrity
Increased costs $100K to Some disruption to services May create some short- Regulatory non-compliance Minor damage to property Minor staff engagement
<$500k or 2% to <5% provided by a business term, temporary concern requiring local staff effort to and/or minor cost to repair / problems
(whichever is lowest) of full unit(s) or at a site amongst stakeholders or rectify replace asset.
year total expenses budget, clients. Short-term loss of skills and
with minor impacts Core business systems Isolated legislative non- Minor and/or short-term business knowledge, effect
unavailable for between 1- Short term poor compliance, effect impact on local absorbed within routine
Revenue leakage 3% to 3hrs stakeholder, community managed at operational environment operations
<10% of total revenue and/or client outcomes level
budget Little or no data loss Moderate injury, medical
treatment and lost work
Capital under or over- Minor impact to data time resulting in
spend 3% to <10% accessibility or integrity compensation claim
May create temporary loss Regulatory non-compliance Moderate damage to Key person loss
<$5m or >5% to 8% provided by an operational of credibility amongst requiring management property and/or moderate
(whichever is lowest) of full unit or site, and affecting stakeholders and clients. effort to rectify costs to repair / replace Loss of a critical skill, or
year total expenses budget, other operational units asset. some loss of skills and
with significant impacts Temporary poor Control failures resulting in corporate knowledge with
Core business systems stakeholder, community frequent legislative non- Moderate and/or long-term programs/strategies
Revenue leakage >10% to unavailable for between 3- and/or client outcomes. compliance impact on local compromised
12hrs environment
budget Significant effect on DFSI Some industrial disputes
Non-Core Systems business operations
Capital under or over- unavailable for 1-5 days requiring changes to Serious injury resulting in
spend >10% to <15% business processes hospitalisation and/or
Loss of data of up to 2 significant compensation or
hours public liability claim
Major interruption to data
accessibility or integrity
Major (4) Risk event would disrupt A strategic objective will notIncreased costs $5m to
business activities and may be achieved.
threaten the achievement
of objectives. State-wide and/or national
adverse publicity
Lead and/or major story in
or across all forms of media Revenue leakage 15% to inability to access data, or
Written advice and follow budget.
up with Treasury or
Minister’s office.
Severe (5) Risk event significantly More than one strategic
threatens DFSI’s functions objective will not be
and the achievement of achieved.
objectives.
Repeated lead and/or
major story across all forms
of media.
Prolonged negative
ministerial attention.
Royal Commission, inquiry,
or major ICAC
investigation/hearing or
adverse and published
Auditor-General findings.
Core business systems Serious loss of credibility Regulatory non-compliance Major damage to property Loss of critical skills and
<$10m, or 8% to <12% unavailable for between with Ministers office and/or resulting in notification by a and/or substantial costs to key people,
(whichever is lowest) of full 13hrs – 2 days key stakeholders and/or regulating authority repair / replace asset. programs/strategies cannot
year total expenses budget, clients. be delivered
with major DFSI wide Data loss 2hrs-3days Grossly negligent breach of Major impact on local and
impact Ongoing, serious poor legislation surrounding environments Capacity to attract quality
Significant interruption or stakeholder, community staff is compromised
and/or outcomes. Formal investigations,
<20% of total revenue damage to integrity of data disciplinary action, Major industrial disputes
ministerial involvement
Non-Core Systems Potential for multiple
Capital under or over- unavailable for >5 days injuries
spend>15% to <20%
Dangerous occurrence
requiring notification to
Safework NSW
Increased costs $10m+ or Core business systems Critical long-term loss of Significant non-compliance Catastrophic damage to Significant loss of critical
12%+ of full year total unavailable for >2 days credibility with Ministers which may result in fine to property and/or significant skills, key people and
expenses budget office and/or key agency and/or prosecution costs to repair / replace business knowledge,
Loss of data >3 days stakeholders and/or clients asset. programs/strategies are not
Revenue leakage 20%+ of Widespread serious or delivered
total revenue budget Critical loss of access to Significant, ongoing poor wilful breach Severe impact on local and
data, or critical damage to stakeholder, community surrounding environments Significant long-term
Capital under or over- integrity of data and/or client outcomes Prosecutions, dismissals industrial disputes involving
spend 20%+ and Parliamentary scrutiny multiple unions/large staff
numbers
Catastrophic event
involving multiple injuries or
fatalities and/or dangerous
occurrence from
extensive/catastrophic
damage to property and
infrastructure
 Likelihood Rating
Likelihood Rating Broad Description Frequency Probability
Almost Certain The event will almost certainly occur within next twelve months Risk event could occur up to several times within the next twelve months or during > 95%
(5) - Complex process with non-effective / no controls in place project life, whichever is shorter.
- Impacting factors are outside of DFSI control

Likely The event is likely to occur within next twelve months Risk event is likely to occur once in the next twelve months or during project life, 70% to 95%
(4) - Previous audits/reports/reviews indicate a level of non-compliance whichever is shorter.
- Controls are inadequate to mitigate the risk and require improvement
- Impacting factors are outside of DFSI control

Possible The event could occur in some circumstances Risk event may occur during the next twelve months or during project life, whichever 30% to 70%
(3) - Previous audits/reports/reviews indicate a level of non-compliance is shorter.
- Controls are reasonable/adequate to mitigate the risk but may still require improvement
- Some impacting factors may be outside of DFSI control

Unlikely The event is not expected to occur during normal operations. Risk event is unlikely to occur in the next twelve months or during project life, 5% to 30%
(2) - The event may occur but is unlikely to occur within next twelve months whichever is shorter
- Process is non-complex
- Controls are in place and are mostly effective

Rare The event may occur only in exceptional circumstances. Risk event is not expected to occur for some time or during project life, whichever is < 5%
(1) - No previous incidence of noncompliance shorter
- Controls are effective and are being monitored regularly

Risk Level
Impact
Negligible Minor Moderate Major Severe
Almost Certain Medium Medium High Extreme Extreme
Likelihood Likely Low Medium High High Extreme
Possible Low Medium Medium High High
Unlikely Low Low Medium Medium High
Rare Low Low Medium Medium High
Risk Analysis - Instructions
Objective
Identification, assessment and treatment of risks are integral to the project, governance and sourcing stages of the procurement
process. By identifying potential risks during the planning stage, decision-makers can formulate a plan to mitigate them. The effort
expended in managing risks in a procurement process should be consistent with the estimated procurement cost and complexity,
significance and nature of the process.

When identifying the risks and potential treatments to mittigate them, those with relevant expertise should be consulted. It is the nature
of risk and risk management that, sometimes, unexpected problems occur. When this happens it is important that the reasons and
circumstances are identified and documented, and taken into account with future risk analyses including updating guidance
documents accordingly.

All risk management decisions including risk identification, assessment and management should be recorded. This provides an
accountability trail.

Directions

1. Complete the table with the appropriate risks. Classify each risk in terms of impact and likelihood. Certain cells
have dropdown menus to select from - they are shown below with guidance for each selection.

Impact Likelihood
Impact Increases as Likelihood increases
move up list as move up list

2. The Inherent Risk Ratings and Residual Risk Ratings will be automatically calculated by the Worksheet.

3. Enter a Target Risk Rating and determine whether additional treatments are required to achieve the target

Risk mittigation are those activities that are undertaken to affect the likelihood and/or impact and thereby modify
the inherent risk. This may include risk sharing; wholly or partially transferring risk to another party or avoiding
the risk by not undertaking the particular activity. The result is to bring the risk level to a level acceptable. For
those risks that can be treated or mitigated through insurance, refer to the Insurance Guidelines