17837_Authority_Oct

32 The Authority | October 2024 P rocurement R isk M anagement : E xceeding B asic C ompliance for R eal R esults By the PennBid Team R isk is defined as “a situation involving exposure to danger,” and “the possibility that something unwelcome will happen.” At times, when authorities think of the risk associated with their purchasing process, they may believe that simply complying with the law is adequate. While that may be true, compliance is only the beginning. Authorities must implement a thoughtful and comprehensive strategy that minimizes the organization’s exposure. This article isn’t a review of the purchasing requirements outlined in the Municipality Authorities Act. Rather, it summarizes additional risk management strategies and processes that authorities can implement to safeguard themselves and their employees. Under the microscope First, it’s important to understand that risk management differs considerably between the public and private sectors. In the private sector, it’s generally true that “the bigger the risk, the bigger the reward” – especially when financial gains are a driving force behind decisions. In the public sector, on the other hand, authorities provide services aimed at ensuring the health, welfare, and safety of constituents and ratepayers, a responsibility that makes the risk- management balancing act a bit more complex. Add in that the entire decision-making process is public – with public engagement and scrutiny – and the need for a robust risk management program becomes quite clear. In addition, procurement in the public sector demands the highest integrity. Errors or inconsistencies can lead to questions about the authority’s honesty and transparency. The best defense is a proactive approach that allows officials to identify potentially high-risk situations and quickly implement corrective measures. Analyze, assess and mitigate Some incorrectly believe risk management is automatically embedded in day-to-day decisions. At times, this belief is accompanied by an absence of clear reporting to senior management and/or an audit committee. Additionally, when authority officials have a general misunderstanding of the purpose and relevance of risk management, employees may view it simply as a compliance exercise. A weak or absent risk management process often spawns a lack of interest in, or an awareness of, risk. One approach to developing a risk management plan is to employ the following three-step methodology: 1. Analyze: Begin by identifying all the potential things that can go wrong and estimate the probability of each happening. Your process can be as simple as necessary, but the key is to identify all the risks associated with any purchase or procurement contract. Developing and using checklists to measure whether your procurement process aligns with legal and ethical standards, along with contract deliverables, can be a great way to start. 2. Assess: Evaluate the likely impact of each risk to the authority and identify those that require actions. Keep in mind that common threats may have a low impact or consequence and may not be worth taking action to control or avoid. Conversely, some lower-probability consequences can have significant impacts and preventive actions may be appropriate. 3. Mitigate: Once all the risks and required actions have been identified, the next steps are to develop mitigation plans and assign responsibilities. Don’t forget that risk and related consequences change over time,