All NSW Government agencies are responsible for developing risk management frameworks, and they do so under the guidance of the Risk Management Toolkit managed by the NSW Treasury.
The guidance on this page supports buying teams to apply their agency's risk management frameworks in an innovation procurement context. It embeds a innovation mindset into the key steps from the international standard for risk management, ISO 31000, shown in Figure 1.
Buying teams should always refer to their agency's risk management procedures in the first instance. This guidance does not override any agency-based guidance or anything in the NSW Treasury Risk Management Toolkit, but rather, augments existing guidance for innovation buying projects.
Supporting innovation in each step of the risk management framework
Step 1. Communication and consultation
Stakeholder identification and mobilisation give innovation buying projects the best chance of success. Communication and consultation of risk management are key considerations in both. Buying teams should engage with technical staff, subject-matter experts, users and relevant stakeholders throughout the procurement.
Engaging experts early not only helps identify potential risks but also ensures that the procurement approach achieves the agency’s innovation objectives and helps monitor the evolving risk profile. Collaboration between different experts will drive valuable insights into the unique risks associated with innovative solutions and emerging technologies, as well as more effective treatments for risks.
Step 2. Scope, context, criteria
To establish the context for risk management, buying teams will need to explore several risk domains in parallel to any context scanning they would usually do for an ICT project. This will narrow down the risk domains, expertise and tools that could be relevant to their project.
Since innovation objectives are part of the scope and context of the project, buying teams should ensure they are adopting an innovation mindset from this point onwards.
Expand the boxes below to help identify risk domains that are relevant to your project which will help drive risk identification at Step 3.
Uncertainty about the end solution will limit the technology risks that can be identified before proposals are received. These risks fall into several domains including cyber security, data privacy and system integration. This uncertainty is a risk in its own right, and should drive extra risk identification steps at later stages, after proposals have been received.
Engagement with technical experts should be early and ongoing, since their expertise will be needed to revisit the risk landscape and decide how to navigate emerging risks at each stage.
Buying teams need to pay close attention to risks relating to probity and fairness from the outset. These risks are amplified because of the complexity and uncertainty in outcome-focused, iterative procurement processes, the potential for change to the procurement approach after the procurement has started and the preference for more supplier interaction to help refine narrow down and refine solutions.
Engaging probity expertise early (internal or external) can help narrow down risks, develop a probity plan to address them and embed probity into the design of all testing stages and engagements.
Market analysis to determine supplier maturity, while still essential, can be more challenging in a technology-agnostic buying project. This is particularly true for nascent or emerging technology markets.
By engaging supplier risk experts early, buying teams can capture the most relevant risks and controls to inform both market research and the procurement strategy. Ongoing engagement with these same experts will ensure buying teams refine their understanding of supplier capability and risks with each stage of testing and shortlisting.
Buying teams should understand, as early as possible, the extent to which the buyer of the end solution has clear objectives and success criteria and is committed to investing in a solution to meet them. The buying team may be working on behalf of a buyer or owner in another business function or even another agency, so considerable effort might be required to get clarity in this area.
The level of commitment of the buyer can open risks around funding, implementation resourcing, clarity of scope and objectives and transparency of the opportunity communicated to market. Buying teams should recognise the importance of identifying these risks early.
The likelihood that a supplier will submit, propose and/or develop new material as part of an innovation buying project is high. Intellectual Property cannot be an afterthought – adopting informed positions on the protection of Intellectual Property will help attract innovative solution ideas, foster collaborative relationships with suppliers and strengthen the industry.
To accurately identify risks relating to Intellectual Property at Step 3, buying teams will need a clear picture of what suppliers might be concerned about at each stage. For innovation buying projects, this usually needs to cover the submission of proposals, confidentiality in supplier interactions like pitch events or clarification sessions, deliverables from testing stages like a Proof of Concept (PoC) and, of course, ownership of existing and new materials.
Step 3. Risk identification
A well-described risk includes three parts and should be easy to understand for those not involved in the assessment process. These are:
- the source of the risk, or cause
- the event that could occur, or what may happen
- the impact on objectives, both positive and negative.
Read more about risk identification in the Risk Management Toolkit.
This section provides some examples of risks that might arise for each of the risk domains described under Step 2. Expand the boxes to see how the risks are described using the three-part structure.
Failing to identify and engage technical subject-matter experts at the start of the buying project results in incomplete technical information leading into contract negotiation. This creates a need for urgent technical advice, adjustments to agreement terms and decreases negotiation leverage. It negatively impacts value for money and timelines and damages the relationship with the preferred supplier.
Siloed communication with suppliers during delivery of a Proof of Concept (PoC) without a clear evaluation framework and corresponding probity plan can cause a supplier to perceive that requirements for the final scale stage have been biased towards another supplier's solution. This perception negatively impacts project timelines, organisational budgets and reputation.
Over-estimating the capability of the market to solve the problem can result in proposals being received for suppliers or solutions that are unproven, requiring adjustments to the procurement strategy to incorporate extra testing. While this adjustment positively impacts the management of an evolving risk profile and improves confidence in the final solution and its value for money, it can also result in perceived unfairness or bias, reducing supplier trust in the process.
Requesting proposals against a challenge statement without the full commitment of the intended buyer of the final solution can cause misaligned expectations between suppliers and buyers on whether procurement stages will proceed and some suppliers exiting the process or lodging formal complaints. This means any funds committed to early stages could be wasted and negatively impacts the project outcome and the reputation of the NSW Government as an innovation partner.
Incorporating detail from early market engagement into the requirements of a challenge statement in a way that reveals a supplier's confidential information or Intellectual Property can result in a large enterprise developing a new product based on the Intellectual Property, the original supplier losing a valuable opportunity and initiating legal action. This negatively impacts project timelines, the willingness of suppliers to participate in innovation challenges and the reputation of the NSW Government as an innovation partner.
Steps 4 and 5. Risk analysis and evaluation
Buying teams should refer to their agency's risk management frameworks to rate the likelihood and consequence of a risk, arriving at an overall risk rating and thresholds for deciding whether the risk is acceptable or requires treatment.
To take existing controls or treatments into account as part of risk analysis, buying teams may also need to supplement agency guidance with the innovation-specific guidance on risk treatments at Step 6.
For a snapshot of relevant sections of agency frameworks that support completing this step, expand the boxes below.
Consequence types usually include detailed descriptions of the potential impacts of identified risks and an associated rating scale. These range from financial losses and reputational damage to operational disruptions and legal implications. Narrowing down specific types of consequences helps determine the severity of each risk.
Likelihood ratings provide clear criteria for assessing the probability of a risk occurring, or the frequency with which it is expected to occur, based on an agency's specific context.
Agency risk frameworks guide users to determine the overall risk rating based on a combination of likelihood and consequence ratings. This typically involves a risk matrix or a similar tool that helps categorise risks and prioritise risk management efforts.
Risk appetite is the level of risk the agency is willing to accept in pursuit of its objectives. This is usually expressed as a risk appetite statement across one or more contexts. An agency may have a higher risk appetite in innovation contexts than in safety contexts, for example. These statements provide a benchmark against which a risk can be evaluated to decide whether it falls within acceptable limits or needs stronger treatment.
Step 6. Risk treatment
At this step, buying teams identify risk treatments that are not already in place. Any risk treatments already in place are referred to as ‘controls’ and should have been accounted for at Steps 4 and 5.
Buying teams face decisions about the level of intervention that is appropriate for each risk. Some treatment options have flow-on impacts that interfere with project or organisational objectives, so it is important to consider which treatment options are most appropriate for the situation.
Expand the boxes to understand different levels of intervention and navigate decisions around risk treatment for innovation.
Risks can have positive impacts, or impacts where the negative impacts are outweighed by the positive impacts. In these cases buying teams should of course take the opportunity, but may consider whether some small treatment is needed to minimise negative impacts.
In some cases, choosing not to take risks can have negative flow-on impacts. Agile procurement breaks large risks into smaller, more manageable risks, such as running more siloed or interactive engagements with suppliers to better evaluate their capability and ways of working.
While these interactions bring probity risks, choosing to remove those risks could impede the understanding of supplier capability or solution fit. For these sorts of risks, focusing on treatments that influence the likelihood or consequence are preferable.
Removing the sorts of risks that are smart to take for innovation projects can either leave an agency exposed to a poor investment decision or block innovation entirely.
Some measures can treat a risk by lowering the chances of the risk occurring. For example, if conducting siloed interaction with suppliers, the buying team can increase transparency around how those interactions will be conducted and give suppliers an opportunity to raise objections. With clear expectations, suppliers may be less likely to perceive any unfairness.
Some treatments can reduce the severity of consequences if the risk event occurs. For example, if siloed interaction with suppliers does result in a supplier complaint, good record-keeping practices will ensure the activities and processes are defensible.
For some limited types of risk, like financial or asset risks, it may be possible to share or even outsource the risk through contractual agreements. Internally, some risk treatments might not be contained within the project, but rather addressed at an enterprise level and therefore need to be transferred to an enterprise risk management system.
Step 7. Monitoring and review
This step involves not only the ongoing maintenance and revision of risks that have already been identified, but also the potential identification of new risks based on new information uncovered at each testing stage.
Effective monitoring and review should not be an ad-hoc activity but should be built into the iteration plan. This approach ensures risk management is proactive rather than reactive.
Regular reviews should be scheduled at predefined intervals and at key decision points throughout the project. These reviews should assess the status of existing risks, evaluate the effectiveness of risk treatments, identify any new risks that may have emerged and trigger communication with relevant stakeholders. The insights gained from these reviews can then be used to update the risk management plan, ensuring it is relevant and responsive to the project's evolving context and risk profile.