Risk Analysis
Under state laws effective September 1, 2015, all state agencies
are required to “develop and comply with a purchasing accountability
and risk analysis procedure.” Acts 2015, 84th Leg., R.S., S.B. 20,
§ 18 (codified at Tex. Gov’t Code § 2261.256(a)).
As part of the procurement process, the Office of Primary
Responsibility (OPR) must perform a risk analysis for each contract
to be procured having an expected maximum amount payable exceeding
$25,000. A formal risk analysis is not required for contracts that
are inherently low risk, such as those having an expected maximum
amount payable of $25,000 or less or low bid construction and maintenance
contracts.
At a minimum, the risk analysis must assess the risk of fraud,
waste, or abuse in the contractor selection process, contract provisions,
and payment methods, and any contract procurement identified as
high risk must receive enhanced contract monitoring. In addition,
the OPR must notify Contract Services of the high-risk contract,
either in conjunction with Contract Services’ review of the contract,
or through an email to Contract Services’ risk analysis email box,
.
The OPR must update the risk analysis throughout the life
of the contract whenever factors outlined in the Risk Assessment
change or new risks are identified. The timing of updates may be
periodic or based on specific events (e.g., selecting a contractor,
preparing a work authorization, assigning a work authorization,
amending the contract, completing a milestone, receiving a deliverable,
or starting a new phase of a project). The OPR must immediately
notify Contract Services if an updated risk analysis raises a contract’s
risk level to high risk. Contract Services will notify TxDOT administration,
as appropriate, of any issue or risk that is identified.
The OPR should use the risk analysis to manage the risks associated
with the contract, which places TxDOT in a position to best avoid
or minimize threats and to benefit from opportunities. Risk management
includes identifying, prioritizing, and controlling risks; planning
and implementing risk responses; and developing and updating project
plans in response to changes in risks and their impacts. To control
risks, the OPR should implement risk response plans, track previously
identified risks, and continuously look for new risks.
Risk management necessarily involves the judgment of experts
with relevant experience in the type of work being performed. The
OPR must use the risk form developed by Contract Services to evaluate
the risk for each contract and underlying work authorization, with
input from experts where appropriate. This risk form will provide
an initial risk rating of high, medium, or low. This risk rating
may be increased by the project manager, OPR leadership, or the
OPR’s Chief. The original risk analysis, along with each subsequent
version, must be maintained in the File of Record.