What is Risk Management and What Do I Need to Know?

Many federal government RFPs require that offerors address risk in their approach to win the contract. What is Risk Management and what do you need to know to address it in an RFP response? 

Risk Management

Risk Management is the identification, analysis, and response to risk factors that are only present due to a specific approach to performing contract work. When an RFP requires you identify ‘risks of your proposed approach’, it is NOT requesting that you identify inherent risks of performing the stated work. This is not the place to identify inherent office environment risks if you are bidding on an administrative office services contract. The appropriate response would be to identify risks that would be present as a result of your proposed approach.  

Some RFPs request identification and mitigation of associated risks within each technical approach section, while others stipulate one single Risk Management section for the entire proposal. Regardless of presentation, it is recommended to identify the risks in each Technical and Management section of the proposal, and have technical experts in each discipline validate the potential risks and corresponding mitigation strategies.  

Use a Risk Table to gather risks as they are identified. Make sure that you add a section for the SME or Writer to identify potential risks of their approach when the Technical and Management sections are outlined. Having a specific Risk section allows for every writer to see Risks as part of their section. If they are unable to identify any risks, they need to state that no risks have been identified.  

How to Present Risks 

For federal government contractors, most risks are identified and presented in the form of an IF/THEN statement:  IF [Event], THEN [Consequence/s], as shown in the exhibit below. Determine an initial likelihood/probability and consequence/severity score in accordance with the agency definitions.

Then determine a mitigated or final likelihood/probability and consequence/severity. Use the appropriate agency color rating system to determine colors for initial and mitigated risks. All risks cannot be mitigated, some will be avoided and others may be accepted. 

The Risk Management Plan shows that you understand risks and how to mitigate, avoid, or accept them. Ideally, you are able to mitigate all risks to be in the green sections of the Risk Matrix, but this may not be necessary.  

Encourage your team to look beyond the obvious when identifying risks. Be very specific in your risks and consider multiple causes and effects. If you have a risk of employee retention, consider all the factors – tight labor market, retirement of personnel, in-sourcing of personnel to government positions, or others – and develop a mitigation strategy for each one. 

Where to Present Risks

Risk statements and mitigation strategies should go through the same scrutiny as the rest of your proposal, undergoing review by those who have experience and understanding of the Technical and Management functions and how to identify, assess, and manage the risk process.

Addressing risks in each proposal section ensures that you do not skip a section and it forces you to look at each proposal section, or PWS element, as an individual element.

After a Red Team Review, compile risks into a separate Risk Management Section, if required by the RFP. If this is the case, consider adding a PWS reference to the Risk Management table, so evaluators can easily see how the risk and PWS element are related. Use the management PWS elements for mapping.  If not stipulated by the RFP, it is still good practice to identify risks as part of your Technical and Management approaches.

A good review of the risks not only helps your team to think through the approach but also provides the proposal evaluators a more complete picture of your team’s proposed approach for every PWS element. 

Agency-Specific Risk Management

Present your risks in accordance with the risk management guidance provided by the RFP-issuing agency. If you are submitting a proposal to the U.S Army, use the U.S Army Risk Management Guide and their terminology, which includes the words probability and severity. When submitting a proposal to NASA, their risk terminology uses likelihood instead of probability and consequence instead of severity. 

Risk Management Terminology

To develop a Risk Management Plan that your government Evaluators love, your team must understand Risk Management and its terminology. Read ISO 31000:2018 Risk Management Principles and Guidelines to learn more about risk management terminology. Below are some common definitions used often in a Risk Management Plan: 

This is the 8th blog post in the 11-part series, "Playing to Win: Strategies to Scoring Higher and Winning Federal Government Contracts". There is a companion download, which includes editable customizable PowerPoint and Word graphics based on each blog post topic. 

OneTeam is a complete, secure, cloud-native collaboration platform for GovCons to track, qualify, capture, propose and win more contracts with fewer resources by streamlining and automating processes. Our experienced team writes extensively about business development topics and best practices.