The purpose of risk management is to examine and control relevant risks, to
ensure successful delivery of the project. It is essential that risk management
begin early in the SCM process. High-value purchases and complex projects
of lesser value require the preparation of a specific risk management plan
and ongoing risk assessment throughout the project's entire life cycle;
however, in less complex and lesser value projects, a plan to deal with risk
should be an element of the Individual Purchase Plan. During Process
Step 1: Identify Needs, due attention must be paid to identifying risks, their
impact, and possible Postal Service response to the risks. This stage is part
of the larger risk management process, which evolves throughout the supply
chain, and ensures that risks are understood and mitigated to the greatest
A risk is a potential event or future situation that may adversely affect the
project. Identifiable risk factors contribute to a potential risk. If a risk occurs,
there will be consequences that may significantly impact the project. For
• Risk factor - a new technology is being used for the first time
• Risk - adoption of the technology is more difficult than
• Consequence - the delivery of a project is late.
A risk may be caused by more than one risk factor, and, conversely, a risk
factor may result in more than one risk.
Risk management comprises five steps:
1. Identification - search for and locate risks
2. Analysis - transform risk data into decision-making information
3. Response planning - translate risk information into executable plans
4. Tracking and control - monitor risk indicators and take corrective
5. Reaction - implement risk actions in response to actual risk
Analysis, response planning, and tracking are performed iteratively
throughout the execution of the project, as illustrated in Figure 1.9.
Risk Management Process
A certain amount of risk taking is inevitable to achieve objectives. Continuous
risk management provides a disciplined environment for proactive decision
• Continuously assess what can go wrong (risks)
• Determine which risks are important to deal with
• Define and implement strategies and plans to deal with those
Continuous risk management requires that risks be identified throughout the
project, not as a one-time-only activity during project planning. Risks must be
analyzed on an ongoing basis to address changing project conditions and
priorities. As new risks are identified, strategies and plans to deal with them
must be developed. The Client and Supply Management may make the
decision to stop the project, based on an unacceptable level of risk.
Risk Identification is a systematic attempt to specify threats to the project
(estimates, schedule, resource loading, etc.). By identifying known and
predictable risks, the Client and Contracting Officer take the first step toward
avoiding them when possible and controlling them when necessary.
While it would be impossible to anticipate the complete universe of risks, the
aim is to clearly identify the 20 percent of risks that would have 80 percent of
the potential impact (Pareto Principle [80/20 Rule]). The following activities
are useful for clarifying and identifying risks:
• At the initial stage of risk identification, convene a brainstorming
session of the Purchase/SCM Team, during which each member
has an opportunity to identify a few project risks.
• Interview stakeholders responsible for ongoing programs and
projects, and consider the opportunities/impact of the current
• Check with suppliers regarding their plans for delivering the
• Discuss with all parties involved their understanding of the
mission, aims and objectives, and plans for delivery of project
• For repeating projects, create a risk checklist that focuses on a
subset of known and predictable risks.
• Ask "so what?" after each potential risk is identified, until a clear
cost or consequence of the potential effects of a risk, or an issue
that needs resolution, is identified. For example:
- Statement: "Project duration will be greater than 36
- Question: "So what?"
- Answer: "Project staff may be unwilling to work on the
project for all 36 months."
- Question: "So what?"
- Answer: "The risk is that the project will take 10 percent
more time than currently budgeted, to allow for the learning
curve as new personnel join the project. There is also an
issue that staff changes in mid-project are not acceptable to
Risk analysis involves the following major activities:
1. Evaluate the properties of a risk to determine the expected impact and
probability of the risk's occurrence. Each risk is categorized as high,
medium, or low, based on the impact of the risk on the various project
elements (e.g., cost, schedule, and quality).
• High risk - a major problem exists with definite, serious financial
exposure and/or customer dissatisfaction. Failure to manage the
risk would result in project failure. Aggressive management action
is required to bring the project under control.
• Medium risk - a significant problem currently exists that requires
corrective planning. A probability exists for exceeding estimates
or budgets, customer dissatisfaction, and/or limited financial
exposure. Failure to manage the risk would result in degradation
of the project performance. Management action is required to
bring the project under control.
• Low risk -the project is currently under control. However,
existing or potential problems have been identified that will
require positive management attention to maintain stability.
1. Determine the likely time frame during which the risk can be expected
2. Determine the probability of risk occurrence. Probability is categorized
as high, medium, or low, based on the likelihood that the risk will occur.
3. Based on risk impact, probability, and time frame, determine critical
risks and those of the highest priority. It is important to note that
priorities change throughout project execution, and it is critical to
continually review risks and prioritization.
Analysis of risk factors continues throughout the execution of the project as
conditions change. Issues, changes, schedule delays, defects, and staffing
anomalies are a few examples of the conditions that may arise that could
Once a risk is identified and analyzed, risk response planning is the function
of deciding what, if anything, should be done with a risk. The Purchase/SCM
Team should consider the following approaches when responding to the risk:
• Acceptance - accepting the consequences of a risk occurrence
without further action, but continuing to observe for increased
likelihood of occurrence.
• Risk transfer - transferring some or all of the responsibility for
dealing with a risk to the supplier.
• Risk reserve - deciding to use monies set aside as a risk
management reserve or risk contingency reserve. As a whole, a
risk reserve should be comparable to the probability of costs
related to accepted risks and contingency plans that would be
implemented, should the risk occur.
• Risk containment - two types of risk containment:
• Risk mitigation - taking steps to affect risk factors to lessen risk
by lowering the probability of a risk occurrence or reducing its
effect should it occur.
• Risk contingency planning - the development of a risk
contingency plan for a particular risk or for multiple risks.
It is important to emphasize that the Postal Service will not be able to control
or transfer every risk. On a high level, a risk will fall into one of these three
categories, which will affect the Postal Service's ability to respond:
• Business risk - whatever affects the Postal Service's ability to
meet business objectives. These risks are managed by the Postal
Service and cannot be transferred.
• Service/operational risk - includes design/build/finance/operate
project risk. These risks are managed by the party best placed to
do so. Suppliers and Clients share detailed plans for managing
• External risk - beyond your control, such as legislation, changes
in marketplace, etc. Suppliers and Clients produce and maintain
plans for mitigating these risks.
Liquidated damages are a contractual remedy the Postal Service may use
when there are delays in delivery or performance. Liquidated damages are
based on an estimate of daily losses that would result directly from a delay in
delivery or performance. Generally, liquidated damages are included in all
It is important to remember that providing for liquidated damages usually
increases the contract price as suppliers typically factor them into their
pricing; therefore, their use should be carefully considered. Liquidated
damages may not be used as a penalty for failure to deliver or perform on
time. The use of liquidated damages should be included in contracts only
• Delivery or performance is so critical, and the failure to deliver on
time or perform will result in such extensive damage in the form of
additional costs or loss of potential savings, that the probable
increase in contract price is warranted; and
• The amount of actual damages would be difficult or impossible to
The rate of liquidated damages must represent the best estimate of the
actual daily damages that will result from delay in delivery or performance. A
rate lower than the actual estimated rate may be used to avoid excessive
price contingencies in proposals. The Contracting Officer must determine and
document in each case that the rate is reasonable and not punitive. The rate
should, at a minimum, cover the estimated cost of inspection and supervision
for each day of delay. Whenever the Postal Service will suffer other specific
damages due to a supplier's delay, the rate should also include an amount for
these damages. Examples of specific damages are:
• The cost of substitute facilities
• The cost of lost workhours/productivity
• Rental of buildings or equipment
• The cost of additional inspection
If appropriate to reflect the probable damages, considering that the Postal
Service may terminate for default or take other action, the assessment of
liquidated damages may be in two or more increments with a declining rate
as the delay continues. To prevent an unreasonable assessment of liquidated
damages, the contract may also include an overall maximum dollar amount, a
period of time during which liquidated damages may be assessed, or both.
Whenever liquidated damages will be assessed for a supplier's delay, the
contract must include Clause 2-10: Liquidated Damages, modified as
Risks are reassessed every month to confirm their status. As a consequence,
new risks may be identified, the impact of the existing risk may be changed,
or the risk may no longer have any impact and is removed.
In this step, a risk has occurred, action is taken to correct the risk, and the
contingency plan is launched (if necessary). Risks are considered closed
when they are no longer considered threats to the project.
When the number of risks is small on a project, the Risk Management Plan
may be limited to one section of the overall project plan, without details of
evaluation and prioritization.