Under state laws effective September 1, 2015, all state agencies are required to “develop and comply with a purchasing accountability and risk analysis procedure.” Acts 2015, 84th Leg., R.S., S.B. 20, § 18 (codified at Tex. Gov’t Code § 2261.256(a)).

As part of the procurement process, the Office of Primary Responsibility (OPR) must perform a risk analysis for each contract to be procured having an expected maximum amount payable exceeding $25,000. A formal risk analysis is not required for contracts that are inherently low risk, such as those having an expected maximum amount payable of $25,000 or less or low bid construction and maintenance contracts.

At a minimum, the risk analysis must assess the risk of fraud, waste, or abuse in the contractor selection process, contract provisions, and payment methods, and any contract procurement identified as high risk must receive enhanced contract monitoring. In addition, the OPR must notify Contract Services of the high-risk contract, either in conjunction with Contract Services’ review of the contract, or through an email to Contract Services’ risk analysis email box, .

The OPR must update the risk analysis throughout the life of the contract whenever factors outlined in the Risk Assessment change or new risks are identified. The timing of updates may be periodic or based on specific events (e.g., selecting a contractor, preparing a work authorization, assigning a work authorization, amending the contract, completing a milestone, receiving a deliverable, or starting a new phase of a project). The OPR must immediately notify Contract Services if an updated risk analysis raises a contract’s risk level to high risk. Contract Services will notify TxDOT administration, as appropriate, of any issue or risk that is identified.

The OPR should use the risk analysis to manage the risks associated with the contract, which places TxDOT in a position to best avoid or minimize threats and to benefit from opportunities. Risk management includes identifying, prioritizing, and controlling risks; planning and implementing risk responses; and developing and updating project plans in response to changes in risks and their impacts. To control risks, the OPR should implement risk response plans, track previously identified risks, and continuously look for new risks.

Risk management necessarily involves the judgment of experts with relevant experience in the type of work being performed. The OPR must use the risk form developed by Contract Services to evaluate the risk for each contract and underlying work authorization, with input from experts where appropriate. This risk form will provide an initial risk rating of high, medium, or low. This risk rating may be increased by the project manager, OPR leadership, or the OPR’s Chief. The original risk analysis, along with each subsequent version, must be maintained in the File of Record.