8.1 Risk management comprises the activities and actions taken by a relevant entity to ensure that it is mindful of the risks it faces, that it makes informed decisions in managing these risks, and identifies and harnesses potential opportunities10.
8.2 Relevant entities must establish processes to identify, analyse, allocate and treat risk when conducting a procurement. The effort directed to risk assessment and management should be commensurate with the scale, scope and risk of the procurement. Relevant entities should consider risks and their potential impact when making decisions relating to value for money assessments, approvals of proposals to spend relevant money and the terms of the contract.
8.3 Relevant entities should consider and manage their procurement security risk, including in relation to cyber security risk, in accordance with the Australian Government’s Protective Security Policy Framework.
8.4 As a general principle, risks should be borne by the party best placed to manage them; that is, relevant entities should generally not accept risk which another party is better placed to manage. Similarly, when a relevant entity is best placed to manage a particular risk, it should not seek to inappropriately transfer that risk to the supplier.
- Relevant entities should limit insurance requirements in contracts by reflecting the actual risk borne by suppliers in contractual liability caps.
- Suppliers should not be directed to take out insurance until a contract is to be awarded.
10 Department of Finance, Comcover Commonwealth Risk Management Policy.