How to Write a Procurement Risk Management Policy

Thursday, August 28th, 2014

A procurement risk management policy serves two main purposes:

  • to identify, reduce and prevent undesirable incidents or outcomes (by suppliers – and buyers!) and
  • to review past incidents and implement changes to prevent or reduce future incidents (by suppliers – and buyers!).

For example, a Head of Category Management may utilise their procurement risk management policy  to continuously analyse and improve  their strategies and practices that affect the Category Managers’ respective performances.

Knowing how to write a procurement risk management policy is  central to strategic business  planning and growth.

Follow our proven process to help you write a procurement risk management policy:

1. Identify

Identify the potential procurement risks  in the context of the expenditure under your management.

  • Consider the context of your expenditure within the different transactions differentiating between short and long-term purchases, or one-off projects. Include long-term strategic objectives and decisions, operational  day-to-day activities, financial management and controls, intellectual property and information technology actions and knowledge, and compliance/regulatory issues and corporate policy decisions.
  • Assume the worst and write down all the things that could potentially go wrong throughout the supply chain and how they may occur. Acceptance that this is the tricky bit – is a good starting point!
  •  #Tip: ask the suppliers for sight of their risk register (they have got one right?) Divide this information into sections to address each individually.
  • Recognise that some risks will have to be managed jointly with the supplier. Considering this angle will focus on risk mitigations strategies within your organisation and will, eventually, impact on relative obligations and liabilities.

2. Analyse

Analyse all the potential procurement risks that you have identified.

  • Write down how they may occur and potential methods of prevention, additional steps that could be taken to prevent them, and how those procurement risks are evaluated and assessed regularly.
  • #Tip: Make sure you widen your analysis to include technical, quality, health & safety, financial and labour related risks, taking advice from in-house specialists in their field of expertise.  There’s a good toolset to start you off here.

3. Assess

Assess all the past incidents that Procurement has encountered and how these  were handled. Also consider the cost to the business of handling the incidents and the specialist resources required to effectively bring the matters to an acceptable solution.

  • #Tip: Transfer the learning to other procurement scenarios.
  • Consult past records to determine how frequently incidents have happened, and how they were handled, including processes that worked and those with improvement potential.

4. Consequences

Estimate the likelihood and impact (red, amber, green – or a scoring system 1-4? A system you’re comfortable with) of a procurement risk re-occurring or a new risk occurring, based on the history of your organisation, best practices, and peer experiences.

5. Plan

Develop a risk management plan for all of the procurement risks that you have identified, prioritising the risks that are most likely to occur.

  • Be sure to outline a step-by-step expectation for how each procurement risk will be avoided, how it will be handled if it does occur, and how it will be recorded.
  • #Tip: This will require an active procurement risk register – make sure a template is available and tested for robustness.

6.  Financial ROI

It would be great if you can calculate a financial ROI, recognising this is  an ‘ideal’.  So don’t beat yourself up if you can’t do this for all risks. Calculate and include a cost estimate for the steps needed to align with the procurement risk management policy recommendations. Provide this information to the internal audience when the policy is proposed – and make sure you explain why cost implications and corporate performance penalties don’t apply to all of the risks you will have identified.

7. Stakeholders

Prepare a report for both internal and external stakeholders, sharing what auditing steps are in place to revisit and evaluate the policy.  Wouldn’t it be great to report procurement performance on more than that one metric (admittedly a vitally important metric) of best value benefits achieved?

  • The internal and external audiences need different information; internal audiences need to know the greatest procurement risks, who is accountable for what, and how the process will be monitored. External audiences need to know procurement risk management is  part of your organisation’s DNA and how the process and policy will be managed.

8. Actionable data

Create a data tracking system to input all data and statistics on procurement risk management successes and failures, training staff to use the system.

  • Creating a procurement risk assessment ‘form’ for use after an incident can be a useful tool to examine whether more risk management actions could and should have been taken. This allows all the data to be recorded right after the occurrence, and for the same information to be gathered each time.
  • #Tip: Don’t adopt a blame culture following any analysis; some risks could not have been foreseen, even with a vivid imagination!

9. Progress

Establish a regular monitoring process to review all procurement risks and evaluate how the treatment plan has been working.  Oh no, another meeting!  Hopefully not, surely risk can be an agenda item and embed procurement risk management directly into the fabric of your operational activities?

  • #Tip: Use live risk registers as the basis for reviews, then update them.

10. Plan, Do, Study and Act

Revisit the procurement risk management policy every 6 months (note, suggestion is 6 months in some sectors, retail and IT the frequency might be more often – go with 6 months initially and see how it feels) to evaluate its effectiveness by comparing incident occurrence rates. Revise the plan as necessary. Will the Deming Model ever be proved wrong?  Like any process – plan do, study, act is the bedrock of continuous improvement in procurement risk management.

  • Procurement risk management planning and evaluation must be a continuous, evolving process that integrates seamlessly into the organisation’s culture. The demonstration of effective and professional procurement risk management will be a differentiator in the procurement profession. It is an area that will convince senior management that their financial health and reputation is much less likely to take a hit!!

That’s it! Useful?

How are you ensuring your approach to procurement risk management is visible?



Why Brian Farrington?

There are three themes that clients tell us over and over again.

First, they tell us they believe they are making a smarter investment working with Brian Farrington Ltd — bringing a thorough understanding of their procurement and supply chain issues and a proven track record of enabling excellent returns on their investment.

Second, our clients are confident that they are working with specialists that bring experience, expertise and stay focused on client success; not on our next income target.

Finally, people –people just like you – tell us they actually like working with us. They find us easy to work with and collaborative in solving issues that inevitably arise in procurement.

About Brian Farrington 
Brian Farrington is one of the world’s longest established procurement and supply chain consultancy and executive training specialists. 33 of the current FTSE100 have retained our services, as well as leading government organisations in the UK, North America, southern Africa and Asia. Established in 1978, we have proven expertise and experience in procurement, risk and negotiation.

Brian Farrington solutions and services are formed through consultancy, training & development and coaching – all underpinned by proprietary technology. Our four core areas of procurement capability are:

•Strategic review and commercial governance

•Performance delivery and transition

•Major project support including contract negotiations

•Learning & development in support of organisational aims.

Let’s connect on Twitter and LinkedIn  – and receive our newsletter for exclusive procurement risk insights (just sign-up, below)– or give me a call on 01744 20698 :)

Have you had a look at this innovative approach to managing procurement risk?