Skip to content

Managing risk under commercial contracts

  • Having a contract risk assessment process in place can help ensure that organisations take a proactive and preventative approach as opposed to one that is reactive and reparative.
  • Once a risk assessment has been completed an organisation will need to decide which risks it can disregard and which risks it will need to manage.
  • A risk assessment is a working document and should be regularly reviewed and updated.

Managing risk under commercial contracts without proper guidance can be daunting. Not only will there be the need to consider productivity and business drivers — such as the desire to increase revenue and reduce costs — but from a legal perspective, there is the ever-present need to avoid disputes and litigation.

There are a few general principles that can assist with establishing a governance process around an organisation’s commercial contracts. Having such a process in place can help ensure that the management of risk under those contracts is a relatively straightforward and cost-effective exercise. If risk is properly managed at the front-end of contract negotiations, it may be possible for an organisation to avoid (or at least be in a position to carefully manage) potential disputes and litigation.

Using commercial contract templates

Generally, organisations are strongly encouraged to use commercial contract templates. One of the main reasons for this is that standard form commercial contracts — such as the Australian Standard for Defence Contracting (ASDEFCON) suite (used by the Department of Defence), the International Federation of Consulting Engineers (FIDIC) contracts (available for use in the construction industry) and legal contract precedents which are prepared specifically for an organisation — are designed to assist organisations to reduce contracting risk.

Clauses within template contracts have been specifically developed to align with the operations of the contracting organisation, therefore acting as a mechanism to manage the contracting organisation’s exposure to areas of potential liability. Further, appropriately drafted contract templates often include optional or suggested clauses — for example, in relation to insurance and liability — with drafting notes by way of guidance to explain when it would be appropriate to include such a clause in a particular contract.

Completing a risk assessment before entering into a contract allows due consideration to be given to the potential risks an organisation may face once a contract has been agreed…

Completing a risk assessment

To properly manage contract risk, it is necessary to take a proactive and preventative approach as opposed to one that is reactive and reparative. Completing a risk assessment before entering into a contract allows due consideration to be given to the potential risks an organisation may face once a contract has been agreed — including details of risks that originate at an operational and technical level.

In the context of a contracting process, a risk assessment is a secondary, supporting document that details why certain positions in relation to contract risk and liability can be maintained. Although a risk assessment is a separate document that is not a mandatory part of a contract, it should be considered an important part of the contracting process — not only from a strategic perspective (so the rationale behind an organisation’s negotiation and contract position is clear) — but from a risk management position to ensure an organisation’s interests are properly protected.

Although there are no specific guidelines dictating the format or degree of detail required for a contract risk assessment, the logical approach is that it should reflect the nature of the contract it relates to. For example, a costly procurement would warrant a thorough risk assessment with a detailed issues log and a straightforward contract amendment would require a simple, one-page risk assessment.

Depending on the type of contract the risk assessment is conducted for, as well as the specific circumstances surrounding the contract, it is recommended that when a risk assessment is being completed consideration be given to matters relating to the technical, operational, legal and commercial details surrounding the contractual relationship.

For each identified risk it is recommended that an assessment be completed in relation to two aspects:

  1. the likelihood of the risk occurring
  2. the severity of the consequences of the risk event.

Both aspects of the risk event will need to be assessed against a scale (which could range from ‘minor’ to ‘severe’ for severity and ‘never’ to ‘very likely’ for likelihood). From this assessment, together with the organisation’s experience in relation to similar contracts and an analysis and assessment of cost consequences of risk events, it will be possible to determine what action to take to respond to or deal with risk. It will also be possible to decide what (if any) level of risk can be tolerated by an organisation for the purposes of a particular contract.

If a risk isn’t identified and assessed it is a risk that an organisation will have contractually assumed responsibility for and must, therefore, bear (with minimal, if any, knowledge of the consequences). This highlights the importance of conducting a risk assessment process as thoroughly as possible to ensure all potential risks are identified and appropriately assessed and dealt with.

Actioning risk assessment findings

Once a risk assessment has been completed against identified risks, an organisation will need to decide:

  • which risks it can disregard. In this case, the organisation will effectively do nothing about the risk as any impact of the risk event occurring will be negligible, and
  • which risks it will need to manage. In this case, the organisation will need to decide which form of action will be appropriate to respond to the risk, depending on the nature of the risk event as well as the potential severity of any impact of the risk event if it occurs.

Possible action that can be taken by an organisation to deal with risk may include:

  • externally acknowledging the risk by implementing risk treatments such as a training program aimed at educating stakeholders about the cause of the risk and how the risk may be avoided in the future
  • reducing or mitigating the risk with practical action such as installing locks on the windows and doors of an unsecured building
  • transferring the risk by adjusting the organisation’s type or amount of insurances or transferring the risk to another party that is able to manage the risk
  • avoiding or removing the risk, such as via elimination of the relevant hazard, activity or exposure that is causing the risk (subject to any potential impact on business objectives).

Once identified, effective controls should be implemented for each identified cause of the risk and the relevant contract template will need to be customised. This will ensure any risk posed by the transaction is appropriately documented and allocated between the transacting parties and, consequently, properly managed via the written contract governing the parties’ relationship.

It will be necessary to ensure any actions specified in the risk assessment and documented in a commercial contract are, in fact, actually taken within an appropriate timeframe. Certain tools can assist with this process such as a risk register. A risk register identifies relevant risks, the actions required to deal with them and the relevant timeframe/s within which action needs to be taken.

Updating a risk assessment

Finally it should be noted that a risk assessment, like a contract, will be a working document. Once prepared it will need to be reviewed at appropriate intervals to ensure it remains relevant to the current terms of the contract. For example, if a contract is amended, an update to the risk assessment for the contract will also need to be prepared. The risk assessment update should be consistent with the terms of the contract amendment. Further, depending on the duration of a particular contract, it would be advisable to review the risk assessment for the contract (including any updates) at regular intervals to ensure the content is current and accurate.

Lisa Kavanagh can be contacted on (02) 9260 2640 or by email at

Material published in Governance Directions is copyright and may not be reproduced without permission. The views expressed therein are those of the author and not of Governance Institute of Australia. All views and opinions are provided as general commentary only and should not be relied upon in place of specific accounting, legal or other professional advice.

What the modern slavery legislation means for the governance professional

Next article