A risk register is very often a statutory requirement for the company. It lists all potential risks, classifies them based on their level of risk and states the activities to mitigate or eliminate the threat. But, do we really need to have a Procurement risk register? In my opinion, yes. let me tell you why.
Risk register
The CIPS defines the below 7 steps of the Risk management process:
1. Establish the process
2. Identify the risk
3. Rate the inherent risk
4. Identify and rate mitigating controls
5. Calculate the residual risk
6. Develop and action an response plan
7. Monitor
Procurement risk register
As long as everything works as planned, the Risk register is considered a waste of time. However, we all know that, from time to time, things will go wrong. Our Office will go offline, the ERP will crash. Or the door of our warehouse will get damaged by a truck and we will need a couple of days to repair it before we can open the store again. If our crucial vendor, a single source, abruptly shuts its operation? What shall we do in those situations? What is our Plan B? This is the time when the Risk register becomes very handy.
So, here is the process of risk register creation:
1. Establish the process
To start with, we need to understand who is doing what. Create a Standard Operating procedure. There you will define who will participate in every step of the Risk Register creation. It does not have to be a long and detailed document, as long as the basics are covered. The most important part is to define how risks are going to be defined and measured. The goal is to have a uniform approach throughout the years. Otherwise, depending on who joins or leaves the team, you may have significant variations in the Risk register.
2. Identify the risk
Your team can do risk identification through:
- Brainstorming sessions,
- Reviewing past project data,
- Consulting with experts, and
- Analyzing industry trends.
In the beginning, just dump everything you deem as a risk. Then, in a couple of iterations, you will filter out real systemic risks from one-off events that probably will never happen again. I am quite sure many companies now have something like “worldwide closure due to virus pandemic” in their risk registers. But, what are the odds that something like this will happen in the next 50 years again? While the chances for a financial crisis and recession after 15 years of progress are, unfortunately, much more likely.
3. Rate the inherent risk
Rating the risk means determining how seriously we have to take this risk. While some may just cause a 1-hour disturbance in our business, some incidents can result in the closure of the business. And this applies to Supply chains too. Imagine delays in buying a screen for your CEO vs bringing in a food enhancer that is in fact poisonous.
Firstly, we need to calculate two aspects of the risk: likelihood and impact.
Risk likelihood
Let us define the levels of likelihood:
Very unlikely: It has never happened, but it is not impossible
Unlikely: it has never happened in our business. But we know that it happened somewhere else.
Possible: It has happened once or twice in our business
Probable: There is a chance of 50+ % that it will happen under given circumstances.
Very likely: There is over an 80% chance that the event will happen.
Risk Impact
And now the impact this particular event will have on the business:
Negligible: No harm to the employees. Minor financial damage
Low: Minor harm or health issue. Damage to property that is repairable without impact on the operation.
Moderate: Some harm or health issue without long-term effects. Repairable damage to the facility. Some impact on the public image of the Company
Significant: Long-term health impact. Damage that requires significant funds and time. Temporary shutdown of the operation. Significant impact on the public image of the organization, affecting sales and profits.
Catastrophic: Death or life-altering injury. Damages that result in the closure of a part or whole operation. Public and/or legal issues threatening to close the business.
Creating the risk matrix
I believe everyone has seen the risk matrix by now. Nonetheless, below is one example for reference
4. Identify and rate mitigating controls
Risk mitigation activities refer to the actions taken to reduce the likelihood or impact of identified risks. These activities are designed to minimize the potential negative effects of a risk on a project or organization. Risk mitigation activities can take different forms depending on the type of risk and its potential impact.
Examples of risk mitigation activities include:
Avoidance is the elimination or avoidance of the risk altogether, such as changing project plans or processes to remove the potential risk.
Transfer means transferring the risk to another party, such as by purchasing insurance or outsourcing a particular aspect of the project to a third party.
Reduction involves taking actions to reduce the likelihood or impact of a risk, such as implementing safety measures or redundancy plans.
Acceptance is about acknowledging the risk and deciding to accept its potential impact, either because the likelihood is low or because the impact is manageable.
Contingency planning: This involves developing a plan of action to address the potential impact of a risk should it occur, such as having backup resources or alternative solutions ready in case of a problem.
By undertaking risk mitigation activities, Your organization will minimize the potential negative impact of risks.
5. Calculate the residual risk
Calculation of the residual risk is, again, subjective. Once you have done your risk mitigation activity, what will the risk become?
Usually, you can impact either the probability or the impact. Rarely both. Try to be as objective as possible and determine how the mitigating controls affected the ratings. Then note it down in the table.
6. Develop and action the response plan
The response plan is different from the mitigating controls. Mitigating controls are preventive, while the response plan is reactive. If the event happens, what are we going to do?
Many companies have a complete Business Continuity Plan (BCP) that covers all major risks. Make sure the major risks from your Risk review get implemented too. This plan outlines very precisely who needs to do what and what are the contingency plans in every case. For example, in my previous company, we had two vendors who were ready to loan us their unused space in case our complete building got damaged by fire. Luckily, it never happened. But if it did, we were able to be up and running at a new location within 24 hours.
A very important part of the response plan is the escalation matrix. It is a sheet where it is exactly mentioned who is the person to contact 24/7 in case something happens. If there is a robbery in progress, we will call the head of security and police. However, if flooding happens, we will probably have better use of the head of Operations and the Warehouse Manager.
7. Monitor
Once the Risk matrix is created, it should not be placed in some folder (physical or on your computer) and forgotten. Circumstances change, and things happen.
From time to time the team needs to open the risk register and check if:
- The risk of some events increased, or they are happening right now
- Are there some new risks that need to be added, or some have become so negligible that they can be removed?
- Is there a need to completely redo the Risk matrix since the overall circumstances have changed significantly?
We do this in the company I am with now three times a year. We are not in an industry that works with any kind of dangerous materials or processes, hence we deem this as good enough. However, as always, this depends on your particular organization and processes.
The end results
In the end, you will reach a table like the one below:
In procurement, we do not face many risks with catastrophic impacts. What possibly could our suppliers do that will result in company closure? Nonetheless, some events can seriously damage the image of the company. Or we could get involved in a legal case due to the illegal activities of our vendors. Not to forget bribe cases, which are quite specific for procurement.
If you start looking through the lenses of risk management, you will find many risks. And both you and your management will feel safe, knowing that you have done your best to mitigate them.
