Public procurement is one of the Government of Jamaica’s (GoJ) most significant operational and strategic functions and is exposed to a broad range of risks that may affect value for money, service delivery, legal compliance, integrity, and public confidence. The GoJ Enterprise Risk Management (ERM) Policy (2019) establishes a government-wide framework requiring Ministries, Departments, Agencies (MDAs), and Public Bodies to identify, assess, prioritize, monitor, and manage risks systematically. A practical approach is needed for identifying, assessing, and documenting procurement risks throughout the procurement lifecycle in accordance with the GoJ ERM methodology and the Public Procurement Act, as amended in 2025, and the Public Procurement (Amendment) Regulations, 2025.
This article focuses on a key tool in executing this: A Procurement Risk Register.
A procurement risk register serves as a central repository for documenting procurement-related risks and management actions. Its purpose is to:
- Identify procurement risks that may affect organizational objectives.
- Assess the likelihood and impact of risks.
- Assign ownership and accountability.
- Document risk treatment measures.
- Establish monitoring and reporting arrangements.
- Support compliance with procurement legislation and organizational governance requirements.
- Facilitate informed management and board oversight.
For the purposes of public procurement in Jamaica, the largest spender, the register should be integrated with the entity's overall ERM framework and be subject to the same governance and reporting standards applicable to enterprise risks.
Core Components of a Procurement Risk Register
Procurement risk registers should include the following minimum elements.
Risk Description
A clear description of the procurement risk, including:
- Cause of the risk.
- Risk event.
- Potential consequence.
Example:
Inadequate market research may result in poor supplier participation, leading to limited competition and increased procurement costs.
Risk Category
Typical procurement risk categories include:
- Strategic risks.
- Operational risks.
- Financial risks.
- Compliance risks.
- Reputational risks.
- Fraud and corruption risks.
- Contract management risks.
- Supplier performance risks.
- Information security risks.
Risk Assessment
Each risk should be assessed using the entity's approved methodology, considering:
- Likelihood.
- Consequence/impact.
- Inherent risk rating.
- Residual risk rating after controls.
Risk Ownership and Accountability
The ERM Policy emphasizes clear assignment of responsibilities and accountabilities for risk management. Procurement risk registers should therefore distinguish between ownership and accountability.
Risk Owner
The risk owner is the officer responsible for managing the risk on a day-to-day basis and ensuring implementation of risk treatments.
Examples:
- Director of Procurement.
- Procurement Manager.
- Contract Manager.
- Project Manager.
Risk Accountability
Accountability rests with the individual who has authority to ensure the risk remains within approved risk tolerances.
Examples:
- Head of Procurement.
- Chief Executive Officer.
- Permanent Secretary.
- Accounting Officer.
Clear designation of owners and accountable officers strengthens governance and avoids ambiguity regarding risk management responsibilities.
Risk Treatment Actions
The GOJ ERM Policy requires the implementation of appropriate risk treatment strategies. Procurement risk treatments should include specific actions, responsible officers, timelines, and completion status.
Typical treatment strategies include:
Avoidance
Eliminate the activity generating the risk.
Reduction
Implement controls to reduce likelihood or impact.
Examples:
- Procurement planning.
- Segregation of duties.
- Market analysis.
- Evaluation committee training.
- Contract performance monitoring.
Transfer
Transfer risk through:
- Performance bonds.
- Insurance.
- Guarantees.
- Contract clauses.
Acceptance
Accept residual risk when it is within approved risk tolerance levels.
Monitoring Requirements
Procurement risks should be monitored continuously and reviewed periodically.
Monitoring activities should include:
- Monthly review of high-risk procurement activities.
- Quarterly review of procurement risk registers.
- Monitoring supplier performance indicators.
- Tracking procurement cycle times.
- Monitoring procurement complaints and appeals.
- Reviewing contract performance reports.
- Assessing effectiveness of implemented controls.
Key Risk Indicators (KRIs) may include:
- Percentage of sole-source procurements.
- Procurement delays.
- Contract variations exceeding thresholds.
- Supplier default rates.
- Audit findings.
- Procurement-related complaints.
Reporting Obligations
Consistent with the GOJ ERM Policy, procurement risks must be escalated and reported to the appropriate governance levels based on materiality and risk ratings.
Operational Reporting
- Procurement Unit.
- Project teams.
- Contract managers.
Management Reporting
- Senior Management Team.
- Executive Management Committee.
Governance Reporting
- Risk Management Committee.
- Audit Committee.
- Board of Directors.
- Accounting Officer.
High and extreme procurement risks should be reported immediately when they threaten compliance, service delivery, financial objectives, or organizational reputation.
Procurement risk registers are critical instruments for ensuring that procurement risks are systematically identified, assessed, mitigated, monitored, and reported. In alignment with the Public Procurement Act and the Public Procurement (Amendment) Regulations, 2025, as well as the Government of Jamaica Enterprise Risk Management Policy (2019), public entities should maintain procurement risk registers that clearly document risk ownership, accountability, treatment actions, monitoring requirements, and reporting obligations. Such an approach strengthens governance, improves procurement performance, promotes legislative compliance, and supports the achievement of organizational objectives while safeguarding public resources.
For more information on managing procurement risks, please reach out through our Contact Us page, for support from our Control Tower.