Description of risks to contract performance
1) Dependence on Supplier Expertise and Limited In House Capability
Risk:
The Authority has limited internal IT expertise and is heavily reliant on the supplier acting as an “extension of the team.
Impact:
• Poor supplier performance could significantly affect service delivery, decision-making, and risk management
• Reduced ability to challenge or validate supplier recommendations
Mitigation (for inclusion):
• Strong governance structure and named contract managers
• Regular reporting and escalation routes
• Defined SLAs and performance monitoring
2) Transition and Handover Risk from Incumbent Provider
Risk:
The supplier must take over all services and liaise with the incumbent provider to ensure continuity.
Impact:
• Service disruption during mobilisation
• Loss or incomplete transfer of knowledge, system access, or documentation
Mitigation:
• Mandatory transition/mobilisation plan
• Requirement for full system audit post award
• Clear exit/entry provisions and knowledge transfer obligations
3) Business Continuity and Disaster Recovery Failure
Risk:
The service includes responsibility for backup, disaster recovery, and maintaining agreed RTO/RPO.
Impact:
• Data loss or extended downtime
• Operational and reputational damage
Mitigation:
• Tested backup and recovery processes
• Regular reporting on backup integrity
• Requirement for resilient DR solutions and monitoring
4) Cyber Security and Compliance Risk
Risk:
The supplier must maintain security arrangements and support Cyber Essentials Plus and IASME accreditations.
Impact:
• Increased exposure to cyber threats
• Loss of accreditation
• Legal and regulatory breaches (UK GDPR, DPA 2018)
Mitigation:
• Mandatory security certifications (e.g. Cyber Essentials Plus)
• Continuous monitoring (SOC, patching, antivirus, etc.)
• Regular audits and compliance reviews
5) SLA / KPI Underperformance
Risk:
Failure to meet key SLAs (e.g. helpdesk responsiveness, resolution times, onboarding).
Impact:
• Reduced productivity of staff
• Poor user experience
• Potential contract failure
Mitigation:
• Clearly defined SLAs
• Monthly reporting and contract review meetings
• Formal improvement plan and escalation process (including termination rights)
6) Multi-Site and Hybrid Working Complexity
Risk:
The service must support multiple locations and hybrid working, including remote access.
Impact:
• Connectivity or access issues
• Increased support demand and complexity
Mitigation:
• Robust remote support capability
• Scalable service model
• Defined on-site support requirements
7) Third-Party Dependency Risk
Risk:
The supplier must coordinate with multiple third-party providers (software, telephony, hardware, SaaS).
Impact:
• Delays in issue resolution
• Lack of accountability
• Integration challenges
Mitigation:
• Supplier to act as single point of contact
• Defined responsibility matrix
• Requirement for proactive vendor management
8) Infrastructure and Asset Management Risk
Risk:
Incomplete or evolving understanding of current IT infrastructure (initial list is indicative only).
Impact:
• Misconfigured systems
• Asset gaps or unsupported hardware/software
Mitigation:
• Mandatory full infrastructure audit post award
• Ongoing asset and lifecycle management
• Inventory and reporting requirements
9) Scalability and Future Change Risk
Risk:
Changing organisational needs (e.g. staff numbers, relocation, growth).
Impact:
• Service model may become inefficient or unsuitable
• Increased costs or reduced flexibility
Mitigation:
• Requirement for scalable, flexible service delivery
• Ongoing consultancy and continuous improvement
10) Data Protection and Information Governance Risk
Risk:
The supplier will process sensitive data and must comply with UK GDPR and related legislation.
Impact:
• Data breaches
• Legal penalties and reputational damage
Mitigation:
• Strict compliance requirements
• Data handling policies and reviews
• Support for subject access requests and breach management
11) ICT Security Certification and Standards Risk
Risk:
Failure to maintain required certifications (e.g. Cyber Essentials Plus, ISO 27001).
Impact:
• Non-compliance with contract
• Increased vulnerability
Mitigation:
• Mandatory certification requirements at award
• Ongoing monitoring and re-certification support