Риск и управления рисками в сфере государственных закупок: основные определения

1.Risk and risk management in public procurement: basic definitions

 

1. 1 The concept of risk

Public procurement of innovation concerns the acquisition of new products and/or services, of significantly improved existing services and products or a new application of organisational innovation for the provision of existing products and services. Innovation can be developed by the individual contractor, a consortium of suppliers, further the supply chain (below first tier) or in partnership with the buyer (co-production, see Hommen and Rolfstam, 2009, Uyarra and Flanagan, 2009). What is different from procurement of already existing of-the-shelf items is that in public procurement of innovation, at least some aspects of the procured item or service are uncertain or unknown. Therefore, public procurement of innovation involves a certain degree of risk. To understand and manage risk in public procurement, we first need a clear understanding of what risk actually is. There is a range of risk definitions. Following Cambridge Advanced Learner's Dictionary (2008) risk is defined as 'the possibility of something bad happening'. Risk may also be understood as 'something happening that may have an impact on the achievement of objectives... It includes risk as an opportunity, as well as a threat' (NAO, 2000, p. 1, similar OGC 2003). Based on the classical work by Knight (1921), one may include the notion of measurement, of measureable uncertainty. Thus risk can be defined as measureable uncertainty of outcome, whether positive opportunity or negative impact, whereby the measureable uncertainty is expressed in terms of likelihood. While we acknowledge that the definition of risk often used is neutral, i.e. having negative or positive effects on the outcome of an activity, the remit of this expert group and the understanding in all cases we analysed is that we limit ourselves to the negative consequence of a risk (thus not discussing opportunity management in this report).

To clarify the difference between uncertainty and risk, Perminova et al (2008) define uncertainty as 'a context for risks as events having a negative impact on the project's outcomes.' (Perminova et al, 2008, p. 77). Furthermore, risks are known and possible for managers to deal with, while uncertainty is an event or a situation that was not expected to happen.

A broader definition distinguishes between different sources for the risk to occur, as risk is resulting 'from the direct and indirect adverse consequences of outcomes and events that were not accounted for or that were ill prepared for, and concerns their effects on individuals, firms or society at large. It can result from many reasons both internally induced and occurring externally with their effects felt internally' (Kogan and Tapiero, 2007, p. 378). From this definition follows the distinction between risk as the result of failures or misjudgements and those which are the results of [to the organisation] uncontrollable events (ibid, p. 378), an important distinction when it comes to risk management.

Another way of distinguishing risk, again highly relevant for risk management and risk perception especially in our context of public procurement, is to look at demand and supply as sources for risk. Analysing the situation in the toy industry, Johnson (2001) observes that, '[d]emand for fad-driven products can move from tepid to boiling overnight and then suddenly evaporate as the next hot product sweeps the market' (ibid, p. 106). Concerning supply,' [s]upply chains that span the globe and include many emerging countries add currency and political risk that can disrupt supply and change cost structures with little notice' (ibid, p. 106). Sodhi and Lee introduce contextual risk as an additional source. (Sodhi and Lee, 2007). Supply risks are e.g. those that potentially disrupt or delay operations such as political instability and volatile labour market; potential threats that a competitor will take over a supplier and potentially lock out supplies, risks related to delays and insufficient quality. Inbound supply risk has been defined as 'the potential occurrence of an incident associated with inbound supply from  individual suppliers or the supply market, in which its outcomes result in the inability of the purchasing [organisation] to meet customer demand or cause threats to customer life and safety' (Zsidisin, Ellram, Carter, Cavito, 2004, p. 397).

Horton adds an important property of risk. For him, risk involves not only the uncertainty, but also the fact that should an event occur (in other words, should something go wrong), the consequences must affect the utility for the actors involved. If the consequences do not affect the cost-benefit calculations, we may face (even measureable) uncertainty that something happens and changes things, but there is no risk, as there are no (negative) consequences. This is not trivial and links to the need to link risk to benefit. As said above, risks in public procurement can only be assessed if they are contextualised and balanced against the benefits associated with a particular procurement. For example, the risk of failure to deliver a public service or to deliver it much later or much more costly, must be weighed against the relative benefit out of this innovative service for the agency and the private stakeholders (the addressees of the service) and against the costs of avoiding unfavourable events to happen and - if they happen - to minimise their negative consequences. In Horton's rationale, the risk, should it realise, would change the utility of an action, but if this utility still is high, if the cost-benefit considerations are still positive even in the event of the risk to occur, the action may still be conducted. Equally, if the utility without the risk to occur is extremely high, and the likelihood of the risk to occur is judged to be rather low or the negative consequences of failure are not prohibitive, the risk would still be taken.

An image of Bernoulli illustrates the meaning of relative benefit - and how it influences the perception of risk.

Somehow a very poor fellow obtains a lottery ticket that will yield with equal probability either nothing or twenty thousand ducats. Will this man evaluate his chance of winning at ten thousand ducats? Would he not be ill- advised to sell this lottery ticket for nine thousand ducats? To me it seems that the answer is in the negative. On the other hand I am inclined to believe that a rich man would be ill-advised to refuse to buy the lottery ticket for nine thou- sand ducats. If I am not wrong then it seems clear that all men cannot use the same rule to evaluate the gamble. .

The decision the 'poor fellow' is exposed to might mean the potential gain of a price if he keeps the lottery ticket and wins. He might also win nothing. If he should decide to sell the lottery ticket he is guaranteed nine thousands ducats, which would for him be a considerable gain. For a rich man, the consequences should he buy the ticket and loose, would be insignificant. What follows from this is that 'the value of an item must not be based on its price, but rather on the utility it yields. The price of the item is dependent only on the thing itself and is equal for everyone; the utility, however, is dependent on  the particular circumstances of the person making the estimate. Thus there is no doubt that a gain of one thousand ducats is more significant to a pauper than to a rich man though both gain the same amount' (Bernoulli, 1738, p. 24).

For risks involved around innovation, similar concepts have been used. Risks involved in radical innovation in general have been mapped according to three dimensions, the degree of uncertainty, the degree of controllability and the relative importance (in other words: benefit). If the likelihood of a bad result is high, the ability and resources available to influence and control outcomes are small, and the potential consequences of failure is high, a project activity should be labelled 'risky' (Keizer and Halman, 2007; Keizer and Halman and Song, 2002). Attempts to measure risk attitudes and risk aversion made through investigating behaviour of game show participants establish risk aversion among individuals (Deck, Lee, Reyes, 2008).

Our working definition and concept of risk

In sum, risk is a concept not entirely clearly defined in the literature. Our understanding for the remainder of this report is that risk is measureable uncertainty (likelihood) for something to occur that lets projects fail, decreases their utility or increases their costs and duration.². In business project terms, it can have its origin within the project or the organisation(s) involved, or outside, on the demand side, the supply side or the wider context. Further, to know certain risks alone does not suffice, risk has to be weighed against the benefits should the stated goals be achieved and the activity be successful. Consequently, risk-reward ratios will most often be different for the different actors involved in a certain project. Risks can then be characterised according to nature (what is the uncertainty), the likelihood with which they occur, the potential consequences (change of the utility or cost-benefit calculation of a project for the different stakeholders and the sources of risks). Risk management, in consequence, has to deal with all those properties.

 

 

1.2 Basic functions of risk management

In general, empirical evidence suggests that risk management increases the likelihood of success. Studies of new product development (Keizer et al, 2005) and software development projects (Bannerman, 2007) have shown that the chances of a development project to become a success increase if risks are managed well, including monitoring and application of reflective learning and sense-making throughout projects. Sound public procurement of innovation should therefore involve some kind of risk management, although it may not necessarily mean that a formal risk management structure is set up (Chapman and Ward, 2004).

Risk management also reduces costs. For construction projects, Bauld and McGuiness (2008) have found that public customers in general pay more than private costumers, and that this is related to risk management. Simply stated, they suggest that the price is affected by the risk assumed by the supplier as follows:

Price to the costumer = Supplier's cost of supply + Risk assumed by the supplier + Profit

From this relationship follows that the more risk the public procurers assign to the supplier the higher the price. Unrealistic allocation of risk built into a contract offered by a public procurer may lead to hidden costs as firms which would be able to deliver may choose not to participate in the tender at all (Bauld and McGuiness, 2008). In this sense risk management for public procurement becomes something that goes beyond the boundaries of the procuring public agency. In extension to this, a point has been made that there is also a need for suppliers, especially those which traditionally have not supplied to public sector to learn and understand the unique environment of public procurement (Davidson and Moser, 2008).

Against this background, and on the basis of the above definitions of risk, there are three major tasks for risk management³:

1.  define and assess risks and reward for all partners involved at the various stages of the procurement process, including (see also AIRMIC et al. 2002)

o   nature (kinds of risks) of risks, which may change during the various

procurement stages, o   causes and sources of risk, o   likelihood of risks to occur,

o   potential consequences of risk occurrence (additional costs, reduced reward),

 

2. for each risk, take action to avoid or reduce the likelihood of risk to materialise ( 'the likelihood of an adverse project outcome', Bannerman, 2007) and allocate responsibilities to take action to reduce the likelihood,

3. for each risk, define action to mitigate the potential consequences and allocate who bears the cost of mitigation and the reduced benefits (contingency plan, i.e. 'having in place a corporate and systematic process for evaluating and addressing the impact of risks in a cost effective way' (NAO 2000, p.2)

 

In summary, efficient risk management entails that risk should lie with the party able to best manage it. In procurement what is relevant is not only the capacity to identify and bear the risks but also the relative attitudes to risk on the part of the government and the contractor. The nature of the risks and how best to deal with them would depend on the relative complexity of the project, the relative importance of quality aspects vis-a-vis costs for the procurer, the innovation intensity (see section 2.5 below), the heterogeneity of the projects, and other aspects on the supply side (such as number and characteristics of potential suppliers, firms heterogeneity, industry structure, etc.).

 

 

1.3   Risk management models and practices

There are many different perspectives and knowledge domains that are relevant for risk management. Keizer, Halman and Song (2002) discuss the use of a 'risk facilitator', an innovation expert who is not member of the project team and therefore independent and free from bias who can work with the project manager to diagnose risk. Several authors acknowledge the importance of including experienced co-workers for successful risk management (Al-Tabtabai et al, 1997; Wade and Bjorkman, 2004). Risk management is an issue not only for project owners but also for potential contractors, where one result of such analysis could be to abandon a project (Ward and Chapman, 1991). Risk reviews, contacts with subcontractors, research on persons or client, site visits, and financial considerations are also central elements in risk identification (Bajaj et al, 1997). Evidence also suggests that encouragement to take risks within a working group increases the likelihood of radical innovations to be developed (Cabrales et al, 2008). There is also a stream of research attempting to capture gained experience in different kinds of decision support systems (Al-Tabtabai et al, 1997).

Different models of risk management exist which all have varying degrees of complexity. What many of these models have in common can be summarised as a process consisting of three stages; 1. Risk identification; i.e. that potential risks are determined; 2. Risk assessment, i.e. where the risks identified are evaluated and ranked and; 3. Risk response, i.e. identification of the way risks are dealt with (Orsipova, 2008).

The same underlying principle is also applied in the basic project risk model outlined by Ward and Chapman (1991). At the initial specification of the project, a risk analysis is carried out. The result of this analysis may render the decision to abandon the project. Other results may be that modifications of the project take place. Once the project is running, continuous monitoring should take place to avoid uncertainties as far as possible. This model is outlined in figure 1.

 

Source: (Ward and Chapman, 1991).

Another generic risk management model suggested by Zhaou and Duan (2008) is displayed in table 1. Similar to the above mentioned models, this model also displays an iterative pattern, but in their version it consists of nine steps. This model follows a life-cycle logic where each phase of a project may be scrutinised according to the steps specified in the model - and its logic can be applied to the procurement cycle model (section 2.5.1).

 

5.	Set desired results
6.	Develop options
7.	Select a strategy
8.	Implement the strategy
9.	Monitor and evaluate and adjust

Source: Zhao and Duan (2008, p. 1390)

Applying the principles described by Zhao and Duan (2008), would prompt an analysis of potential risks in the different phases of public procurement projects. Assume, for instance, that the 'determination of contract award criteria' would be analysed. An issue concerning the stage of the procurement process in which award criteria are defined lies in the difference between 'should ideally' and 'must have' requirements, i.e. whether or not a specific requirement should be mandatory, i.e. leading to exclusion of tenders which do not comply with it, or if it should be rendering higher evaluation points only (Bauer, Larsen, Bode, Standley, and Stigh, 2008). If a 'must have' specification is used for a given feature, this may exclude suppliers which lack the capability necessary to deliver it, which may, if nothing else, save the public procurers from administrative overhead. On the other hand, if a 'must have' specification is used on a market where no suppliers have in their possession the required capacity, the procurement process will fail, as no supplier will be qualified, or it will be time consuming and costly to build up capacities of a supplier.⁶

It should be noted that the way public procurement projects are set up may vary with the individual project (Osipova and Apleberger, 2007; Grasman et al, 2008). It has even been argued that in practice 'it is virtually impossible to classify procurement by any sort of rational positivist approach' (Tookey et al, 2001, p. 28). No matter how the process is organised, it seems reasonable for procurers to carry out a thorough analysis of the steps envisaged in procurement cycle in the specific case. It may be expected that such analysis would identify potential risks in advance and create opportunities for risk mitigation. If a project includes competent and experienced colleagues in the project, this will increase likelihood of success (Wade and Bjorkman, 2004).

⁶ One practical example where a tight technical specification for green technology excluded

potential commercially viable not so environmentally friendly technologies can be found in Rolfstam (2008b).

Zhao and Duan (2008) develop a risk management model for Chinese construction companies'. The purpose with this model is to identify, treat and control risks; establish a procedure for analysing the risks distribution in undergoing building projects; and to price and allocate funds according to different types of risks and to establish risk management   departments. The model includes three modules; the Risk Mechanism, the Quantification Analysis System and Optimizing Decision Making. They also discuss the use of a risk management information system. The module Risk Mechanism captures organisational aspects of risk management, i.e. the need for assigning risk management professionals or teams which at all the stages of a project monitors and coordinates safety issues. Within the Risk Quantitative Module fall different kinds of risk assessment methods. Different dimensions of risk may be assessed, e.g. the risk of natural factors; earthquakes, fires, hurricanes etc and human-induced; economic risk, political risk, material risk etc. This module may also include quantitative analysis of risk such estimations of probability of identified risks are calculated of potential impact. One study were (among other things) such probability - impact rating is discussed is a study on the South African public power company Eskom Holdings (van Wyk, Bowen, Akintoye, 2007).

The Optimizing decision-making module underscores the importance of setting up contingency plans, making optimised allocation decisions on project resources, and throughout the project periods arrange safety symposiums for project participants. (Zhao and Duan, 2008)

Based on a study of Swedish coffee companies Berlin and Leidstedt (2004) develop an a priori model of risk management in procurement where the risk policy of the procuring organisation provides input in early phases of the procurement cycle, and thus becomes an integral part of the purchasing process.

Zsidisin and Smith highlight the importance of early supplier involvement (ESI) for new product development by referring to a case study of Rolls Royce (Zsidisin and Smith (2005). The importance of interaction is well known in innovation research (e.g. Lundvall 1988, 1992). ESI underlines interaction early in the design cycle of importance to risk management and risk reduction. 'With better exchange of information comes knowledge of the situations surrounding the dynamics of a supply relationship, and with that knowledge comes greater potential for detecting, averting, and managing supply risk' (Zsidisin and Smith, 2005, p. 51). The problem variables these authors identify and how to deal with them are the following:

• Excessive cost. Target costing for suppliers, select only suppliers with cost reduction programs in place.
• Legal liabilities. Determining intellectual property rights during initial agreements. Effecting sharing of expertise.
• Quality problems. Ensuring alignment between designs and capabilities early in the design cycle. And use scorecards to track current supplier performance for determining if they should be invited to participate in new ESI projects.
 

• Supplier capacity constrains. Ensure supplier production flexibility during preselection. Share future demand forecast information immediately with suppliers to improve the planning process.
• Extended product development times. Sharing development information, material and design changes and resources.
• Inability to handle product design changes. Working with suppliers early in the product development process. Having key ESI suppliers provide 'modules' to effectively manage product integration.
• Supply organisational issues. Providing clarity of supplier management structures. Obtaining knowledge of suppliers at both corporate and plant levels.

 

One interesting ongoing trend in the construction sector discussed by Rahman and Kumaraswamy (2002) is joint risk management. This means that certain risks may not be transferred to one of the contracting partners, but are instead shared. What would be the preferred risk allocation and to what extend risk sharing could be applied in public procurement are examples of interesting questions to pursue further.

While the literature shows a consensus that risk management pays off, the monetary benefit of risk management is hard to quantify. One example is Hewlett-Packard, which introduced a risk management system in their procurement activities in 2006. This paradigmatic change within the company included development of scenario-based measures to quantify uncertainties in demand, cost and availability. This risk management approach on procurement was also changing the ways contracts are managed and development of software in order to handle uncertainties related to demand and component cost. Since its introduction this system has rendered $425 million in savings for the company. (Nagali et al, 2008.).

Much of the literature drawn on in this Section comes from experiences in the private sector. It should be noted that although risk management is commonly used, also in the private sector purchasing professionals perceive that more could be done to mitigate risks within companies (Zsidisin, Panelli, Upton, 2000). Similarly, for the construction industry literature stress the need for 'a fundamental revamping of risk allocation and management principles...' and the need for 'well co-ordinated collective actions towards both innovative and continuous improvements' (Kumaraswamy et al, 2004, p. 323). It has also been argued that in spite of the importance of early risk management, the degree of activity is in practice low (Osipova, 2007). Concerning research on risks in supply chain management, Khan and Burnes state that research in the field 'appear to generate a lot of assumptions and even more speculative advice, but not to a great deal of actual research into how organisations are managing risks.'(Khan and Burns, 2007, p. 211). In other words, although learning from the private sector should be encouraged, one should

 

also be aware of the fact that, also in the private sector, risk management is a developing area.

 

 

1.4   Risks, risk management and its cost in the 12 case studies

The case studies demonstrated that the risks encountered could be adequately described by the typology of risks included in Chapter 2 above.

Technological risks were present in all the projects, sometimes higher, others lower. It was, as expected, the case that the higher the degree of innovation the higher the technological risks. Fuel cells and the alternative internet architecture presented the highest risks. Security risks in the case of ICT are considerable, not because of technological immaturity but because of problems of potentially wrong technological choices. In some of the cases negative technical experiences in the past (in the same country or elsewhere) made the procurers more reluctant to risk and triggered a process of shifting risks to the supplier. Suppliers were willing to take responsibility for technological risks when the market was promising or they were confident for their technology. In the cases studies the technological risks were more often carried by the supplier, this risk being expressed either in the form of fines of non-delivery or late delivery or by simple shift of payments to the end of the contract. No technical inability to deliver was reported, there were however several delays or amendments. In some more explicitly dealt risks the procurer designed functionalities rather than products to be delivered. Some suppliers proved overoptimistic ex post. However there were cases where the procurer was willing to take risks because a political/project champion had a special interest attached to the innovative element of the project and the market prospects were still too remote (as in the case of the utilisation of wood for passive houses). But there the operational risks were at least taken by the supplier. When more than one procurer was involved (more often as partners in a joint venture) risk sharing was included in the contract creating the joint venture. As a conclusion from the case studies one can say that technological risks ranged from low to high; in four cases the suppliers explicitly agreed to carry the technological risks, in others the clauses were also pointing at the suppliers as risk carriers.