Glossary/Risk management

What is

risk management

Also known as: procurement risk management

Risk management in public procurement is the structured process of identifying, assessing, mitigating and monitoring risks that could affect a procurement negatively. Think of it as a systematic review of everything that could go wrong — combined with a concrete plan for how to address each potential issue. In the EU/EEA, risk management is considered an essential part of pre-procurement planning and continues throughout contract execution.

How does risk management work?

Risk management in procurement typically follows four steps. First, the contracting authority defines clear objectives for the procurement and identifies critical success factors — without defined goals, it is impossible to assess what constitutes a genuine risk. Next, potential risks are identified, such as delayed delivery, insufficient market capacity, or procedural errors in the tender documents.

The third step is to classify risks by probability and impact, often using a risk matrix. A risk with high probability and severe impact requires immediate action, while one with low probability may be accepted or monitored. Finally, specific mitigation measures are developed and responsibilities assigned for ongoing monitoring throughout the procurement lifecycle.

Common risks in public procurement

Risks can arise at every stage of a procurement:

  • Unclear requirements specifications leading to incorrect deliveries or unexpected costs
  • Supplier failure or capacity issues among subcontractors
  • Price fluctuations and currency changes affecting contract economics
  • Procedural errors that may lead to cancellation or legal challenges
  • Non-compliance with labour integrity requirements or human rights obligations in the supply chain

EU Directive 2014/24/EU does not prescribe a specific risk management methodology, but risk assessment is embedded throughout — from planning and supplier selection to contract monitoring. ISO 31000 and COSO ERM are widely recognised frameworks that many public sector organisations use. Tools like Cobrief can help suppliers understand the risk landscape in upcoming competitions and tailor their bids accordingly.

Risk management is not a one-off exercise — it is an ongoing process that should be updated whenever significant changes occur. With systematic risk management, contracting authorities are far better positioned to achieve procurement objectives and avoid costly mistakes.

Related

Procurement

A procurement is when the public sector purchases goods, services, or construction works under specific rules designed to ensure fair competition.

Tender documents

Tender documents describe a public procurement, including what is being purchased and how suppliers can participate in the competition.

Requirements specification

A requirements specification is a governing document that describes exactly what requirements and needs a contracting authority has when procuring goods or services.

Subcontractors

A subcontractor is a company that performs parts of a contract for the main contractor when specialist expertise or additional capacity is required.

Labour integrity requirements

Labour integrity requirements are contract clauses in Norwegian public procurement designed to combat labour crime and social dumping among suppliers.

Contract monitoring

Contract monitoring is the systematic oversight of public contracts after award, ensuring the supplier delivers according to agreed terms and conditions.

Ready to win more tenders?

Cobrief helps you find, evaluate and respond to tenders.

Try Cobrief for free