Procurement Transformation: The Impact of the Unknown Risk

Updated: Jul 31

If you are ever put in the position to be responsible for the assessment of whether your organisation has adequate procurement fraud and corruption risk mitigation in place, after taking a deep breath, your initial focus should be on planning for the risk assessment of your organisations procurement capability.



There is no one size fits all approach to evaluating the internal and external threats that an organisation faces from procurement fraud and corruption including the mitigation procedures that should be put in place to counter these risks. Such an assessment shouldn’t just be a tick box assessment of known risks and mitigation methods but also an additional risk-based approach for key risk areas that has been identified as part of your initial organisation risk assessment.


There are many areas to consider from vendor onboarding, procurement route, pre and post award stages, contract management and the end of life and disposal of assets to name but a few. A walk through of your processes with relevant organisational staff will further identify risks from different perspectives.


When evaluating risk mitigation requirements an assessment should first be conducted to determine which are the key risk areas, this will ensure that your organisation can properly task and coordinate its finite resources.


Part of the problem in assessing risk is the availability of information, which in itself can be a significant risk. Many organisations have departments that protect their own data and don’t share with other departments, this can create a situation where the scale of a problem is underestimated or unknown.


Such examples include an investigation surrounding an insider threat around the award of a single source contract. The conclusion of the investigation confirmed that an individual within the organisation receiving the initial procurement requirement and had set up his own recruitment company to facilitate the award of consultancy services to his own consultants. What became clear six months later was that an audit of the organisations single source procurement had been conducted without the knowledge of the investigation team. The conclusions of the audit raised significant concerns surrounding the gaps in the justification and authorisation process including the control failures in a significant number of single source contracts. If this information had been shared with the investigation team at the time then they might have better understood the scale of the risk and had the opportunity to assess whether other cases or individuals were involved.


To determine whether your organisation has the ability to assess and mitigate its own risk, a number of initial questions should be answered:


  • Do you have a communication strategy to build organisation culture and response to procurement fraud risk

  • Do you have a Fraud Response Plan

  • Do you have a documented investigation procedure

  • Have you conducted a project assessment for procurement fraud risk

  • Have you assessed your organisations capability against BS10501 British Standard, Guide to Implementing Procurement Fraud Controls

  • Do you have a structured training program that outlines current procurement fraud risk, impact and risk mitigation

  • Can your organisation centrally collect and analyse its own data for procurement fraud risk

  • Have you conducted an assessment of your procurement lifecycle for procurement fraud risk

  • Do you have asset tracking as part of your organisations asset management procedures

  • Do you have asset disposal procedures for goods and materials that are obsolete, scrap, damaged or write-offs

The answers to these initial questions will give you an insight into whether your organisation has the ability to assess its risk and if it can adequately respond to it. If you are unable to answer these questions fully, then you may want to ask yourself what is the potential impact to the organisation of not having these procedures and mitigation in place.