Risk Management and Business Continuity Planning

Risk Management

1.1 Risk is defined as uncertainty of outcome, whether positive opportunity or negative threat. In the area of Contractor Performance Management (CPM), the term ‘management of risk’ incorporates all the activities required to identify and control risks that may have an impact on a contract being fulfilled.

1.2 The realistic assessment of risk is a key element of effective CPM. Broadly, the greater the risks, the more active the CPM approach should be and the greater the care required to be exercised.

1.3 The level of risk associated with individual contracts will depend on the nature and length of contract, the stability of the service, conditions in the supply market and the risk to the user in terms of cost, quality and impact of Contractor failure.

1.4 There are six elements to risk assessment, namely

  • Identify potential problems and their causes;
  • Assess the probability of occurrence;
  • Assess the impact on the Scottish Parliament's operation and
    reputation, if the identified risk were to materialise;
  • Evaluate the relative costs and benefits of alternative strategies to
    minimise risks, and come to a view on whether or not to pursue them;
  • Identify which party is best able to manage the risk;
  • Devise strategies (with timescales and responsibilities) to minimise risks.

The CPM risk register template should be used for all contract requirements.

1.5 A good assessment technique is to divide the perceived risks into high, medium or low categories in terms of (1) likelihood of occurrence; and (2) impact of occurrence. The SPCB should work with the Contractor to jointly develop prioritised strategies to minimise the risks, tackling the most serious ones first.

1.6 The Contractor should not be expected to bear all the risks, as this may cause the contract price to increase, thereby jeopardising VFM. Each risk should be allocated to whichever party is best able to control or manage it in an efficient and economical manner.

1.7 When managing risks, the Scottish Parliamentary Corporate Body (SPCB) will be aiming for business continuity in all possible circumstances, although it is unlikely to be cost-effective to plan for every possibility, and a certain level of risk should be accepted.

1.8 Questions to consider for each individual risk include:

  • Who is best able to control the events that may lead to the risk occurring?
  • Who can control the risk if it occurs?
  • Is it preferable for the SPCB to be involved in the control of the risk?
  • Who should be responsible for a risk if it cannot be controlled?
  • If the risk is transferred to the Contractor:
  • is the total cost to the SPCB likely to be reduced?
  • will the recipient be able to bear the full consequences if the risk occurs?
  • could it lead to different risks being transferred back to the SPCB (e.g. increased contract price)?
  • would the transfer be legally secure?

1.9 During the procurement process, correct assessment of the risks will support the setting up of appropriate procedures, the focusing of CPM resources and the establishment of the degree of risk for both parties.

1.10 During the life of the contract, the Contract Manager must monitor the risks continually, and highlight any emerging problems speedily. Many risks involved in CPM relate to the Contractor being unable to deliver, or not delivering to the right level of quality. These could include:

  • lack of capacity;
  • key staff on the Contractor-side are redeployed elsewhere, eroding the quality of the service provided;
  • the Contractor's business focus moves to other areas after contract award, reducing the added value for the SPCB in the arrangement;
  • the Contractor's financial standing deteriorates after contract award, eventually endangering their ability to maintain agreed levels of service;
  • problems within the Contractor’s own supply chain.

1.11 Other risks to the contract are beyond the Contractor's control. They include:

  • the SPCB not properly defining the requirement at the outset;
  • demand for a service is much greater than expected and the Contractor cannot cope;
  • demand for a service is too low, meaning economies of scale are lost and operational costs are disproportionately high;
  • staff in SPCB business areas with 'intelligent customer' skills are transferred or move on;
  • the SPCB is obliged to make demands that cannot be met, perhaps in response to changes in legislation;
  • force majeure: factors beyond the Contractor's control disrupt delivery, e.g. premises cannot be accessed because of a natural disaster;
  • fundamental changes in the SPCB's requirements, perhaps as a result of changes in policy, make the arrangement a higher or lower priority or change the level of demand for the service;
  • the SPCB’s inability to meet their obligations under the contract.

1.12 A key point is that business or reputational risk can never be transferred to the Contractor. For example, if an important guest caught food poisoning at a Parliament event, even though the catering Contractor would be culpable, it may cause reputational damage to the SPCB.

1.13 While a relationship based on trust, openness and communication is desirable, a customer with too much 'hands-on' involvement in the Contractor's business can end up taking back transferred risk, by not allowing the Contractor to take responsibility for managing it.

1.14 A full understanding of what the Contractor can and cannot do should enable the SPCB to strike the right balance between 'hands-on' and 'hands-off' styles of CPM. 

SPCB Approach to Risk Management

1.15 A fundamental part of the internal control of the SPCB’s activities is our ability to manage and control risk. Historically, the focus for managing risk was on financial matters, but more recently the focus has shifted to cover all threats or actions that could prevent us from achieving our aims as set out in the SPCB Management Plan.

1.16 In ensuring the SPCB delivers its key aims, it has recognised a need to identify and assess the risks to meeting these aims and this is undertaken by way of a Corporate Risk Register. 

Contract-Specific Risk Registers

1.17 Under the CPM Framework, there is a clear link between the development of risk registers and the formulation of KPIs against which Contractors’ performance is assessed.

1.18 A contract specific risk register should be developed. When formulating a risk register, the project team should take into account the following:

  • SPCB Corporate Risk Register;
  • Business area priorities - by reviewing Office plans and meeting with business area representatives;
  • Business continuity planning;
  • Inter-dependencies with other contracts – what potentially adverse effects would occur if (a) service failure in Contract X impacted on Contract Y, or (b) there was a lack of co-ordination of CPM effort across contracts;
  • Commodity-specific aspects - as enshrined in the relevant specification (e.g. furniture - reputational risk associated with buying timber from non-sustainable sources);
  • Asset Criticality – asset-focussed risk assessment is particularly important in contracts where management of critical infrastructure is core, e.g. equipment maintenance;
  • Mobilisation Period – facilitating a seamless transfer from interim to new contractual arrangements will be key to a smooth migration to Holyrood;
  • Performance Baseline – assess the existing level at which the service is being delivered - either internally or by a third-party Contractor.

1.19 The amount of detail in the risk register should be in line with the criticality of the contract – the more business-critical the contract, the more thorough the risk assessment required.

1.20 As well as formulating a risk register at the outset of the CPM process, it is important that reviews of the register are carried out during the term of the contract. For business-critical contracts, reviews should occur at least every 6 months. 

Business Continuity/Disaster Recovery Planning

1.21 A major part of CPM is considering what will happen if the service fails or is interrupted. Business continuity planning (also known as disaster recovery planning) is concerned with maintaining critical services under a range of contingencies, ranging from minor breakdown of service components right through to disasters such as loss of a building.

1.22 It will normally be the Contractor's responsibility to manage service continuity, and this will be stipulated in the contract. However, ultimate responsibility for the continuity of the business function that depends on the service will remain with the SPCB.

1.23 For example, even though the mail screening service at Holyrood will be outsourced to a third party, the SPCB is still accountable for the underlying key business process – namely, mail delivery services.

1.24 The key components of business continuity planning are:

  • identifying which services must be maintained in which circumstances – i.e. the SPCB’s key business functions;
  • a business continuity plan is drawn up that specifies how the business will continue its critical services under a range of disaster scenarios;
  • the consequent requirements for continuity for each critical service to the business are then derived;
  • service continuity plans may then be developed.

1.25 Within the Parliament, the foundation for business continuity planning is the SPCB Corporate Risk Register. This in turn makes provision for contingency measures such as the IT Disaster Recovery Plan.

1.26 Where services are provided by external Contractors, they may have a role to play in the SPCB’s business continuity planning process. Relevant contracts therefore need to include provision for the development of the Contractor’s own disaster recovery arrangements, incorporating appropriate KPIs.

1.27 Contractor plans for ensuring business continuity should be tested periodically. They should also be reviewed regularly to ensure they are in line with the SPCB’s contingency arrangements.

1.28 For business-critical contracts, in the event of serious Contractor failure, SPCB contingency plans should contain appropriate provisions to ensure continuity of service - e.g. for the service to be taken over at short notice by another Contractor.


Intelligent Customer Capability

1.1 Intelligent customer capability combines in-depth knowledge of the Scottish Parliamentary Corporate Body (SPCB) and its business and understanding of what the Contractor can and cannot do.

1.2 It is vital that the individuals or teams responsible for managing contracts on the SPCB’s behalf have this kind of capability. The aim is to reduce misunderstanding between the SPCB and Contractor and to avoid problems, issues and mistakes before they happen.

1.3 Intelligent customer skills and experience must also be retained for the duration of the contract, so that the SPCB does not end up without enough understanding and knowledge of the services being provided to manage them effectively, or carry out an effective re-tendering exercise.

1.4 Intelligent customer capability enables the organisation to achieve the following goals:

  • gain a common understanding between the SPCB and Contractor(s) of quality/service expectations and possible achievement
  • use Key Performance Indicators (KPIs) as a basis for demonstrating ongoing value for money and service improvements
  • manage ongoing change and the effect on relationships with Contractors
  • assure consistency and conformance with standards and procedures
  • build flexibility into contractual arrangements in order to deal proactively with unexpected changes and demands
  • establish suitable baselines from which to track performance relating to service delivery and service improvement
  • understand and influence the factors which preserve and enhance relationships to achieve maximum business benefit
  • ensure that risk assessments/ business continuity plans are kept up to date to reflect changing circumstances. 

Related Documents