Managing Public Procurement Risks in Greece

The first step in the risk management process and the risk assessment is the identification of all public procurement risks throughout the procurement cycle (see Figure 3.1). The risk identification consists in identifying all the risks that impact the different objectives related to each activity of the public procurement process. A risk that has been identified does not mean it will materialise.

Identifying the risk factors requires knowledge of the operational/policy area of the organisation, the legal, social, economic, political, and technological environment, the processes, and systems supporting its operation (such as information systems) and its organisational structure (The National Transparency Authority, 2024[1]).

The identification of public procurement risks should start from the very early stages of the procurement stages and should be performed on a regular basis.

Based on the scope, it would be recommended to integrate the identification of risks to key public procurement milestones in line with those defined by the entity from early needs assessments to the contract expiry.

Risk identification should be undertaken through a range of methods, including analysis of historical data, surveys and questionnaires, interviews and focus groups, discussions with key stakeholders, research of relevant publications, and case studies and can be supported by the development of standard checklists and templates (OECD, 2023[2]).

Below are detailed some methods and sources of information that public entities can use to identify public procurement risks throughout the public procurement cycle:

• Brainstorming: For an initial risk management exercise, brainstorming is still in practice the most widely used and proven tool. It is a structured reflection based on the objectives, activities and processes to identify concrete risks, analyse them and evaluate them through a well-structured process (predetermined and concrete agenda, precise timetable) (OECD, 2020[3]).

• The five whys: It consists of iteratively asking the question ‘why’ until the final controllable cause is uncovered, with the number of iterations depending on the complexity of the risk. For example, a failure to carry out an appropriate needs analysis could be caused by the absence of an appropriate methodology, which can be the result of a lack of capacity in the buying organisation, and ultimately gaps in the training of procurement professionals with responsibility for needs analysis. Implementing this method requires working with those directly involved, including appropriate stakeholders, and confining the analysis to addressable causes. (OECD, 2023[2])

• External feedback (audit reports, reports from international organizations, experience of the private sector, main players, etc.).

• The opinion of qualified and experienced experts for certain specific, complex, and high value contracts.

• Red flag systems: Red flag systems or indicators can also be established to indicate when risks should be further investigated or escalated to decision makers. Red flags can include complaints from bidders, the share of contracts below procurement thresholds compared to the overall procurement volume of the entity, unusual bid patterns (bid rotation, law number of bidders, etc.), repeated awards to the same contractor, multiple contract change orders, or poor-quality goods, works, or services... Public procurement data and in particular data from e-procurement systems can be a useful source of information for identifying and tracking red flags (OECD, 2023[2]).

Annex A provides a list of examples of public procurement risks throughout the procurement cycle in Greece and can be used as a source of inspiration by those involved in the identification of public procurement risks.

After identifying the public procurement risks, entities should use the template developed by the NTA to report them. As the template will compile risks from different risk areas, it is strongly recommended to add a column ‘’risk area’’ to the template and mention “public procurement” when risks are related to this area (see Table below).

In accordance with the Law a Joint Ministerial decision shall be issued to determine, within each public entity, who has access to the risk registry, who can add risks and how personnel with the entity can have access to it.

Different departments within a contracting authority may be involved in the different public procurement activities throughout the procurement cycle. The table below summarises the stakeholders involved and who approves each activity. It is worth mentioning that the existence of the different departments mentioned in this table may depend on the entity level. For instance, not all entities have a dedicated department in charge of procurement activities. Furthermore, each Contracting Authority has its own organisation, which may vary according to its size, responsibilities, and resources.

The PPL provides for different non-competitive procedures that contracting authorities can use, depending on the value of the contract, the subject matter of the contract and the special circumstances: The list of non-competitive procedure are listed in Box 3.1.

All these procedures could face similar risks as any other procurement procedure. However, their excessive use can constitute a risk in terms of value for money for the entity. Indeed, for example, direct awards may be linked to corruption risks such as the artificial split of contracts to avoid using a proper competitive tendering procedure. Therefore, it is relevant to understand the risk factors or root causes that may lead to the use of these procedures.

This section will focus on “Negotiated procedure without prior publication (article 32 of the PPL), “Procurement of low value (article 117a of the PPL), and direct award (article 118 of the PPL)’’.

Several articles define the uses of the negotiated procedure without publication. While the use of this procedure can be justified, in some cases it is used without solid grounds which represents several risks including low value for money for the entity. While HSPPA must give its opinion for the use of this procedure above the EU threshold, a significant number of procedures are not checked by HSPPA. The table below provides some examples of risk factors and root cause for the excessive use of negotiated procedures for different use cases.

The low value procurement procedure can be used excessively due to the fragmentation of needs. This fragmentation may not represent a legal breach but can still pose a risk. The table below provides some examples of risks and risk factors.

The second step of the risk management process is evaluating the likelihood and impact of the identified risks (see Figure 3.2) using the contracting authority’s specific criteria (see Section 2.4.3). Risk analysis enables the entity to better understand the risks, understand their characteristics, provide data for their evaluation, and decide whether to treat them or not.

The assessment process asks the following questions:

• What is the likelihood the risk will occur? Depending on the risk, this likelihood may be defined or measured qualitatively or quantitatively and expressed mathematically or descriptively. The likelihood has been defined in the general risk management framework, but for the entity to decide which score to attribute to the likelihood of a risk, it can take several factors into account, as shown in the table below (Table 3.5).

• If the risk occurs, how severe will the consequences be? Similarly, the impact of the risk can be expressed qualitatively or quantitatively. Similarly, the impact of the risks has also been defined within the general risk management framework. Please refer to section 2.4.3. As a reminder, the general risk management framework and policy recommends taking into account the following factors when assessing the impact of a risk: its scope, the economic impact, the reputational impact, operational impacts, the impact on stakeholders, the health and safety impacts, the regulatory and legal implications, the environmental impacts, and the duration of the impact (The National Transparency Authority, 2024[1]).

• Are there any existing control or mitigation measures? If yes, how do they affect the likelihood and/or the impact of the risk? An accurate assessment of the efficiency and effectiveness of the controls is important for the final assessment of the residual risk. When assessing the effectiveness of control mechanisms, account is taken of the views of the managers responsible for their implementation on the one hand, and of information on their effectiveness and consistent application on the other, through audits carried out for this purpose and the use of existing data on their effectiveness (how they have worked in the past in similar incidents) (The National Transparency Authority, 2024[1]).

• The roles of the three lines (Figure 2.1) are listed below in relation to the evaluation of the control mechanisms in the context of public procurement (Figure 3.3):

  1. First line: Head of the public procurement department, heads of department relevant for public procurement and requiring areas.

  2. Second line: Management Oversight (i.e. Risk management bodies.)

  3. Third line: Internal audit unit.

To facilitate the analysis of the public procurement risks, entities should use the risk registry template developed by the NTA, and fill the columns related to the risk analysis phase (see Table 3.6).

The risk evaluation is the final stage of the risk assessment where the information from the previous stage is used and through predefined acceptance criteria the organisation decides whether the residual risk is acceptable in the current situation or whether further measures/controls and/or strengthening of existing controls and/or mitigation measures need to be taken.

Therefore, risk evaluation should consider different elements including:

• the risk appetite of the entity,

• the risk tolerance of the entity,

• the costs and potential benefits to the entity of accepting or refusing a risk.

This assessment allows the prioritisation of risks, as it will allow a better allocation of resources, financial and non-financial, to manage them. A risk map can be used to visualise the impact and likelihood of risks in order to facilitate decision-making on risk management. It includes different risks including the one related to public procurement.

For example, a hospital needs to procure new medical equipment that could save the life of several patients, however there is a high risk of collusion between potential providers that may have some severe financial impacts (level of residual risk =9).

• If the risk appetite of the hospital is set at 12, the entity will consider this risk acceptable (risk appetite 12 > level of risk 9) and will consider a medium-term action plan to control it

• If the risk appetite of the hospital is set at 8, the entity will not consider the risk acceptable (risk appetite 8 < level of risk 9) and will check the risk tolerance for this specific risk.

• If the risk tolerance> level of risk, the risk can be acceptable

• If the risk tolerance< level of risk, the risk is not acceptable, and risk treatments should be applied

This information should be filled in the risk matrix provided by NTA:

Following the risk evaluation phase, entities will have to decide on the risk treatment (see Figure below) based 4 potential options:

Broadly, organisations face four options or paths for any individual risk. Specific decisions will depend on the context of the entity and the individual procurement.

• Accepting the risk. This may be appropriate when the inherent or residual risk is of suitably low likelihood or impact, or when the cost of mitigating the risk is very high. Even when deciding to accept a risk, it may still be necessary to develop plans to monitor the risk and respond if it is realised. For example:

  • when undertaking an innovation procurement, there is an inherent risk that an appropriate or viable solution may not be developed.

  • A public body accepts the risk of using legacy software that may leads to the IT system collapsing, with regular upgrades to avoid bugs, due to very high replacement costs.

• Transferring some or all the risk to another party. For example:

  • risk can be transferred through the purchase of insurance or the inclusion of indemnification clauses in contracts.

  • A public entity decides to conduct a PPP to build large projects, sharing the risks with the private sector partners.

• Mitigating or controlling the risk by reducing its likelihood and/or impact through a variety of treatments. For example:

  • A public entity may mitigate the risk that specifications may not meet users’ needs by putting in place formal processes to involve users in the development of technical specifications.

  • A public body installs advanced fire-fighting systems in public buildings to reduce the risk of fire damage due to materials procured.

• Avoiding the risk entirely by changing the procurement plan or abandoning the project. For example:

  • If market analysis found that there are no available products on the market with the required specifications, the tendering procedure will not be initiated.

  • A public entity stops using a software as it creates cybersecurity risks that cannot be addressed/ avoided.

The figure below provides a sample decision tree for this process:

In order to implement the actions decided upon, the risk management body should develop an appropriate action plan which will be monitored and reviewed on a regular basis. The information provided in the plan shall include, inter alia, the proposed actions, resources required (The National Transparency Authority, 2024[1]). The preparation of action plans requires prior approval by the competent body (e.g. the approval of the head of the procurement department, of the head of a relevant department for public procurement, or head of the entity). Each public entity can monitor the progress of the implementation of the action plan using the risk registry template (Table 3.8).

Recording all stages of the public procurement risk management process allows the entity to document and accurately measure its results. Appropriate documentation provides information on the effectiveness of the risk management process and how to improve it, ensures that the entity complies with legal, regulatory, and contractual obligations, ensures consistency and traceability, facilitates communication about risks and their management, facilitates risk-related actions, etc. The recording of the risk management process ensures:

• Communication and dissemination of a risk management culture within the public entity;

• Traceability and serve as tangible evidence in the event of intervention by the supervisory bodies;

• Provision of the information needed to make an informed decision;

• Facilitation of interaction with stakeholders

This is particularly relevant for public procurement which represents a high-risk area. Public sector entities falling under the provisions of Law no. 4795/2021 shall record the information concerning the risk management of their entity in the Risk Registry.

The Risk Registry template by the NTA includes information on the likelihood and impact of each risk (inherent and residual), the control mechanisms (existing and new/additional) and the persons responsible for managing the risks. Through the Risk Registry, the entity is able to gather all the information on the potential risks to which it is exposed, analyse it and at the same time draw conclusions on the level of overall risk it faces at any given time. The Registry - particularly in entities with many responsibilities and organisational units - may also be maintained via an electronic platform. Updating the Register is an ongoing process, which must be explicitly defined by the entity and includes updating existing risks, adding new ones and reviewing the entire Registry on a regular basis.

According to Law No. 4795/2021, the risk management body submits periodic and ad hoc reports to the head of the institution on the risks to which the institution is exposed, as well as an annual report, the model of which, as well as the instructions for its preparation, are provided by a joint decision of the Minister of Interior and the Governor of the NTA. Depending on the risk assessment, public procurement risks will be considered in these reports. When preparing these reports, it is important to consider the sensitivity of the information and the external and internal context of the public entity.

The aim of these reports is to inform internally about the current risk situation, the management strategies adopted by the entity and the results of risk management actions. Through risk reporting, a permanent mechanism is created to inform stakeholders immediately, ensuring that the right information is given to the right people at the right time. In this way, risk reporting improves the quality of decision-making, influences the prioritisation of activities, and enhances organisational oversight (The National Transparency Authority, 2024[1]).

Unforeseen or unexpected public procurement risks that may have a strong impact on the activity of the entity may be subject to an exceptional report.

The general risk management framework requires public entities to regularly review their risks, risk management framework and the implementation of controls/risk mitigation measures on a regular basis to identify changes in relation to the required or expected level of performance and make the necessary improvements.

Indeed, risk monitoring should take place throughout the procurement process and consist of ongoing tracking, as well as more structured reviews on a regularly scheduled basis:

• Identifying new risks

• Tracking the level of risks within an evolving internal and external context

• Tracking the level of risks after the implementation of control measures, and helping prioritise any residual risk

• Providing assurance to internal and external stakeholders that risks are being monitored

Monitoring public procurement risks is particularly relevant given its economic and financial impact and the fact that it is very sensitive to the external environment.

For instance, for the procurement of new IT equipment, a public entity with a risk appetite and tolerance of 10 identified and assessed the following risks:

• Risk of reduced competition with a residual risk of 8 ➜ no immediate additional action needed, but this risk should be monitored.

• Risk of collusion with a residual risk of 12 ➜ risk nonacceptable, additional action needed.

• Risk of tailored technical specifications with a residual risk of 9 ➜ no immediate additional action needed, but this risk should be monitored.

Monitoring risks enabled i) to identify new risks (for instance the obsolescence of procured items due to the emergence of a new technology) ii) update the residual risk value of the different risks which may lead to different actions.

The results of the monitoring and review should be recorded in a report summarising the data collected and outlining the conclusions of the assessment in relation to predetermined criteria. The actions planned in response to the reviews should be communicated to senior management, and their implementation should be monitored.

The general risk management framework and policy recognizes that communication on risk management is critical to its success, and organisations should put in place processes to supply, share and obtain risk information in an iterative and continuous way. This will ensure that risks are adequately reported to the higher levels of the hierarchy and that decisions taken on which risks are acceptable or non-acceptable and the priorities for action to address them are communicated to the different levels of the public entity. Methods of communication and consultation may include meetings, reports, electronic communication systems, training activities and newsletters (The National Transparency Authority, 2024[1]).

This requirement of the general framework to communicate on the risks also apply within the context of public procurement. The greatest procurement risks, particularly those that exceed the organisation’s risk appetite, should be brought to the attention of relevant stakeholders. There should be structured communication channels to ensure effective risk reporting within the organisation and, where necessary, with external stakeholders. Adequate risk communication should strive to be:

• Complete: All required information should be included in risk communication to ensure that the audience is able to make decisions as soon as they receive the information.

• Concise: The risk communication should only include relevant information. Communication should avoid unnecessary information that might confuse the audience or detract from the core message.

• Accurate: All risk communication should only include accurate facts to enable the audience to gauge the importance of the required actions.

• Credible: All communication should originate from people and/or institutions with sufficient influence and authority (OECD, 2023[2]).

Risk management strategies related to public procurement, implementation plans and measures set up to deal with the identified risks need to be known and understood among the procurement workforce and relevant stakeholders in order to be effective. Staff should be encouraged to identify and report on existing and emerging risks through a clearly defined process. Each public entity can choose, taking into account its available resources, the channel or channels of communication which suit it, and which are likely to reach the largest number of participants in the public procurement process. These channels may be internal and/or external.

[2] OECD (2023), “Managing risks in the public procurement of goods, services and infrastructure”, OECD Public Governance Policy Papers, No. 33, OECD Publishing, Paris, https://doi.org/10.1787/45667d2f-en.

[3] OECD (2020), Guide de management des risques dans les marchés publics en Tunisie.

[1] The National Transparency Authority (2024), Model Policy and Framework for Risk Management.