Managing External Risk

External risk management is the bidders’ strategy for managing or constraining the risks inherent in a proposed approach or offer. The underlying assumptions are that every offer entails risk and that risk can be contained or reduced with appropriate management.


Risk is normally associated with cost and schedule, but risk permeates every aspect of a program, including program management, technical performance, quality, service, support, and security. Proposal teams often struggle to demonstrate how their solution offers the least risk. However, most customers recognize that superior value justifies increased risk. The key is to understand what degree of risk is acceptable to each customer.

Best Practices

1. Recognize all aspects of external risk.

Evaluators normally focus on risk in two evaluation criteria items: proposal risk and performance risk.

Proposal risk is associated with a bidder’s proposed approach to meeting the bid request requirements. Proposal risk includes both your technical and management approach.

Performance risk is how customers evaluate the bidders’ ability to perform based on relevant present and past performance. Evaluators consider the data included in your proposal and data gathered independently. Evaluators assess several factors such as:

  • Whether the experience cited is relevant
  • The results
  • Lessons learned that may reduce risk on future contracts

2. Develop a mitigation strategy to address external risk.

Most customers develop a good information network within their industry. You should assume customers will learn about your past performance, either on their own or through your competitors. When you don’t have the opportunity to explain or defend your performance (which may have been influenced by many factors), risk is introduced.

Developing a risk management strategy is a key part of overall proposal strategy development. Use the same strategic approach to:

  • Emphasize strengths
  • Mitigate weaknesses
  • Neutralize your competitors’ strengths
  • Highlight your competitors’ weaknesses

For ethical reasons, do all of this without mentioning your competitors by name.

3. When appropriate, address risk management in your executive summary.

Risk is often a discriminator and can be an effective way to ghost competitors. Decision makers and senior influencers are more likely to worry about what could go wrong than about relatively minor price or technical differences.

Identify the areas of greatest risk and then briefly discuss your risk management approach in the executive summary. Address the top concerns in one or two short paragraphs, as shown in the following example:

Software development projects have been notoriously difficult to estimate correctly and to deliver on schedule. Acme Software has developed sophisticated and detailed metrics from all of its software development projects since 1989, enabling us to significantly reduce performance risk. Our specific management approach is discussed in detail in section 3.2 Software Management Approach.

If competitors do not discuss risk, evaluators may assume they do not understand the problem. Your discussion must be credible, or it could backfire.

Another best practice is to support your risk management plan with a chart similar to Figure 1.

Risk Area Risk Assessment Impact with our Management Approach Summary of Approach Ref in Proposal
Key personnel not available Medium Low All positions filled and back-ups identified 4.5
Limited construction area onsite High Low Use modular design, construct modules offsite, then assemble onsite 2.3

Fig 1. Risk Management Matrix. A brief risk management matrix summarizes the major risks.

Consider supporting a short risk management discussion with a matrix that summarizes the major risks and assesses the risk both with and without your mitigation approach. If space permits, add columns to summarize your approach and indicate where your approach is discussed in the proposal.

4. Analyze and discuss risk and risk management similarly in each proposal section.

Top-level discussions of risk must be supported where relevant in each proposal section. Evaluators look for an established proven risk management process to identify, assess, track, and manage or mitigate risk associated with your solution.

Increase the credibility of risk discussions and cut writing time by following a consistent process to analyze risk and draft your response.

Risk Analysis Procedure

  • Identify all risk areas
  • Assess the risk (low, medium or high) on a defined scale
  • Prioritize each risk according to its potential impact on the solution, schedule, or cost
  • Determine and analyze the causes (not the symptoms) of risk

Develop alternative, backup, or parallel procedures to monitor whether your risk management strategy is to accept, mitigate, transfer or avoid the risk.

Assess the modified risk against your proposed risk management approach, considering how changes could impact other aspects of your solution. Draft your risk management story in a similar style in each major proposal section following the writing procedure described below.

Writing Procedure

Introduce each risk management section with a theme statement, a section summary, and a preview or introduction.

Consider including a more detailed form of the risk management matrix, as illustrated in Figure 1.

Identify and define all relevant risks with an explanation of how the risk will be managed. Cite clear decision points tied to your proposed approach, as well as your alternative, backup, or parallel approaches. Demonstrate your ability to manage risk by citing experience, independent research, or trade studies.

5. Regularly review your risk management strategy.

The risk management strategy should be kept under regular internal review as it is an inherent part of the solution offer. Whilst it forms part of the scheduled document reviews, a separate review of the risk management strategy as it evolves for the opportunity should also inform the internal decision gates, business case reviews, and final approval.

Common Pitfalls and Misconceptions

Reluctance to address risk

Some bidders prefer to avoid any discussion of risk. They correctly see risk as negative, but incorrectly avoid discussing it.

Customers know every offer entails risk, so best practice is to explicitly discuss how the risk in your offer will be managed. Company risks, such as internal concerns or gaps, are not relevant unless they affect proposal or performance risk.


  • Recognize all aspects of external risk.
  • Develop a risk mitigation strategy to address external risk.
  • When appropriate, address risk management in your executive summary.
  • Address the top concerns in one or two short paragraphs.
  • If competitors do not discuss risk, evaluators may assume they do not understand the problem.
  • Your discussion of risk must be credible, or it could backfire.
  • Analyze and discuss risk and risk management similarly in each proposal section.
  • Regularly review your Risk Management Strategy.

Terms to Know

See Also