About the Author:
Bridget Larsen is Policy Manager, Government Procurement with the Australian Information Industry Association. AIIA has been lobbying governments on the issue of Risk Management and capping liability for several years.
Following the federal government‟s announcement last August that liability will be capped in most cases, the focus has now shifted to implementation. Six months down the track, we look at how is this working in practice.
Discussions with AIIA members suggest that implementation is best described as patchy, with some agencies reflecting the new policy in their drafts and discussions, others unaware of it and others perhaps a little unsure of how it should work in practice. Changing practices entrenched for decades, particularly on complex issues, will take time. However, industry can play a significant role in helping change both their own practices and encouraging government to improve risk management practices.
The new liability policy requires that FMA agencies cap the liability of suppliers at appropriate levels in most cases, unless otherwise justified by a compelling reason. The limit is to be agreed based on the outcome of a risk assessment.
Some companies have expressed concern that presentation of risks in the competitive tender phase may „open a can of worms‟. Certainly, if presented without careful thought, it can simply give evaluators a reason to exclude your bid. However, there is also a significant opportunity for companies to use risk management as a means of differentiating their offering, a means of partnering with government to help provide solutions and of course, a means of negotiating an appropriate cap.
Ten tips on risk assessment in government contracting:
1. Ensure that all your relevant staff are conversant with the new policy – this should include managerial, BDM/bid, legal/compliance, finance and delivery roles. A government education program is underway, but not all government officials are aware of it.
2. Be well informed and help them comply. Printed copies of the policy guide are now available – AIIA has some copies for members (contact email@example.com). Print and electronic copies can also be obtained from DCITA.
3. If you don‟t already have it, get a copy of the relevant Australian Standard on Risk Management, AS/NZS 4360.This standard is referenced in the policy and provides a wealth of information on how to conduct a risk assessment.
4. Consider appointing a „risk champion‟ – someone who can ensure that your company has an appropriate corporate risk management policy and practices, can assist in your risk analysis and response in government contracting – and don‟t be shy in letting the government know that you have someone who performs this role.
5. Review key government reports on government ICT programs that have not gone to plan and learn from them (for example, CMS). Demonstrate how you can help your client agencies deliver on time and on budget and keep off Senate Estimates‟ radar!
6. Develop a good corporate risk management policy and have processes in place to support it. Increasingly, government is asking for evidence of these in its tender documents.
7. Go to government with a risk management based solution before it asks for one.
8. Consider reviewing the various ANAO reports which highlight where various departments have failed to meet certain levels of compliance required of them. This issue was highlighted earlier this week when ANAO‟s CIO presented at the AIIA‟s Canberra Managers‟ Forum. Members can access the slides from AIIA‟s Presentation webpage.
9. Be cognisant of risk at all stages of the procurement cycle, from bid qualification, through tender preparation and contract negotiation... and don‟t forget to review and update the plan, ideally, together with your customer, regularly throughout the delivery phase.Remember that while risk management is related to liability, simply adding up the financial „worst case scenario‟ of all supplier risks does not give you a magical liability cap. This is an art not a science. Common sense suggests that not every risk will eventuate, so consider focussing on the most likely risks.Agency practice is still in its early days when it comes to risk management in ICT. However, greater focus on risk management in government is a general trend that is here to stay. Some agencies will helpfully provide you with an outline of risks that they‟ve identified – a great opportunity for you to show how your solution assists. Others won‟t provide you with any indication – in this case, your response should try to anticipate the risks and address them (delicately!). Some agencies will provide an indication of the level of liability cap; others may invite your suggestion. Either way, it‟s an opportunity to have a good discussion on risk management, which ultimately helps inform much more than the agreed cap.
10. Finally, get expert advice from professionals that intimately understand the government market! Getting this right, early, can help you win the business, build a good relationship, good business and negotiate manageable terms. Or consider attending one of the workshops on this issue currently being run by Intermedium, together with Broadleaf Capital. The next Preparing Effective Risk Management Plans workshop will be held by Intermedium in Sydney on 20 March.
While only a number of jurisdictions have a policy of capping liability based on risk to date, industry can help encourage uptake in other jurisdictions by applying similar thinking to all government contracting. So often we hear “come to me with a solution, not a problem” – so let‟s show them how good the ICT industry can be at problem solving.