📝 Assessment Information
Purchasing & Operational Risks
Procurement process integrity, spend controls, and regulatory alignment
—
▼
Procurement Process Controls
1.01
PolicyProcurement policy is documented, approved, and current
Includes threshold schedules, competitive bid requirements, and exception processes
1.02
ControlsSegregation of duties is enforced across all procurement activities
Requester, approver, and receiver are separate individuals; compliant with Ontario BPS Procurement Directive (Jan 2024)
1.03
ControlsProcurement thresholds and approval authorities are defined and enforced
Tiered signing authority matrix is current; no unauthorized spend above threshold
1.04
RiskSole-source and emergency purchases are properly justified and documented
Written justification on file; frequency monitored for inappropriate use pattern
1.05
RiskConflict of interest declarations obtained for all procurement participants
Signed COI forms on file for evaluation committee members and staff with vendor relationships
1.06
AuditFull audit trail maintained for all purchasing decisions and communications
Vendor communications, evaluation scores, and award rationale retained for required period
Spend & Budget Risk
1.07
RiskSpend analysis performed to identify concentration risk and savings opportunities
Spend by category, supplier, and department reviewed at least annually
1.08
RiskPurchase order splitting to avoid thresholds is monitored and controlled
System controls and periodic reviews prevent artificial splitting of requisitions
1.09
BudgetBudget availability confirmed before purchase commitment
Purchase orders not issued without budget confirmation; encumbrance accounting in place
1.10
ComplianceBuy Ontario Act / Buy Local obligations tracked and reported
Supplier origin verified; Ontario-made preference documented; reporting data current
1.11
LegislationBill S-211 (Forced Labour Act) supply chain obligations assessed and reported
Annual attestation completed; high-risk supply categories identified and reviewed
Competitive Bid Process
1.12
ProcessRFP / RFQ / ITT evaluation criteria defined and disclosed to vendors before award
Weighted scoring matrix documented; evaluation team briefed on fairness obligations
1.13
ProcessMandatory bid requirements applied consistently and documented
Non-compliant bids rejected with written rationale; bidder debriefs offered where required
1.14
RiskProcurement grievance and debriefing process is documented and followed
Unsuccessful bidder rights respected; formal debrief process used to reduce legal exposure
Supplier Management
Prequalification, performance, diversity, and ongoing vendor oversight
—
▼
Supplier Qualification & Onboarding
2.01
ProcessFormal supplier prequalification criteria are defined and consistently applied
Qualification requirements documented by category; minimum thresholds established
2.02
OnboardingSupplier onboarding process collects all required compliance documents before work begins
No contractor or supplier begins work without completing onboarding requirements
2.03
DatabaseSupplier database is centralized, current, and accessible to authorized users
Single source of truth for supplier compliance status; no duplicate or shadow records
2.04
RiskSupplier Code of Conduct signed and on file for all active vendors
Covers ethical sourcing, anti-bribery, forced labour, and data privacy obligations
2.05
LegalSupplier financial viability assessed before award of significant contracts
Credit check, references, and business registration verified for high-value engagements
Post-Qualification Monitoring & Performance
2.06
MonitoringPost-qualification compliance monitoring is continuous, not one-time
Insurance, WSIB, and H&S document renewals tracked automatically; alerts issued pre-expiry
2.07
PerformanceSupplier performance evaluations conducted and documented at contract milestones
Formal KPI scorecard used; evaluations retained and shared with procurement file
2.08
RiskSingle-source supplier dependency risk identified and mitigation plans in place
No critical service relies on a single unmitigated vendor; alternate sources identified
2.09
RiskSupplier cybersecurity and data privacy posture assessed for vendors with system access
Vendor security questionnaire on file; OEB and healthcare regulatory requirements addressed
2.10
DiversitySupplier diversity data tracked (Indigenous, women-owned, minority-owned, etc.)
Diversity spend reported; Buy Local and Canadian content flags maintained in supplier database
2.11
RiskNon-compliant or suspended supplier access to work is immediately revoked
Process in place to suspend or restrict work orders when supplier compliance lapses
Insurance Coverage
Certificate of Insurance verification, minimums, endorsements, and renewal tracking
—
▼
Certificate of Insurance (COI) Requirements
3.01
COICertificate of Insurance (COI) on file for every active supplier and contractor
No vendor performs work without a current, approved COI on file
3.02
COICommercial General Liability (CGL) coverage meets minimum thresholds per contract
Minimum limits verified (e.g. $2M, $5M, or $10M per occurrence) against contract requirements
3.03
COIAutomobile liability coverage confirmed where vehicles used on organization business
Third-party liability minimum confirmed; owned, non-owned, and leased vehicle coverage checked
3.04
COIProfessional Liability (E&O) coverage in place where applicable (consultants, IT, engineers)
Required for all professional services suppliers; policy limit meets contract specification
3.05
COIUmbrella / Excess Liability coverage confirmed where contract requires higher limits
Umbrella policy verified to sit excess over primary CGL; limits and follow-form terms confirmed
Named Insured, Endorsements & Validity
3.06
EndorsementOrganization is named as Additional Insured on supplier CGL policies
Additional Insured endorsement verified on COI; wording matches contract requirement
3.07
EndorsementCross-liability / separation of insureds clause confirmed on CGL policy
Ensures coverage applies separately to each insured party in the event of a claim
3.08
RiskPolicy period covers full contract term; expiry before contract end flagged
COI policy dates confirmed against purchase order or contract end date; renewal triggered early
3.09
Risk30-day (or greater) cancellation notice clause confirmed on all policies
Organization notified before policy cancellation; allows time to demand replacement coverage
3.10
TrackingCOI expiry tracking is automated with pre-expiry renewal alerts
Alerts issued at 60, 30, and 14 days before expiry; follow-up with non-compliant suppliers documented
3.11
AuditInsurance review is conducted by trained staff or AI before approval is granted
Reviewer checks coverage limits, named insured, endorsements, and policy dates; review timestamped
Workers Compensation / WSIB Clearance
WSIB Certificates of Clearance, account status, and provincial WCB coverage
—
▼
WSIB Clearance Certificate Requirements
4.01
WSIBWSIB Certificate of Clearance obtained from every contractor before work commences
No contractor permitted on site without a valid, verified WSIB Clearance Certificate
4.02
WSIBWSIB Clearance verified directly on the WSIB website, not accepted on face value only
Verification conducted via wsib.ca clearance portal; verification number or screenshot retained
4.03
RiskWSIB Clearance Certificate is current (not expired) at time of each work engagement
Clearance re-verified at the start of each new PO or on a defined periodic basis during long projects
4.04
WSIBPost-project WSIB Clearance obtained after completion of contracted work
Protects organization from liability for unpaid WSIB premiums accrued during the project
4.05
LegalOrganization's own WSIB account maintained in good standing
Premium payments current; no outstanding assessments or compliance orders
Out-of-Province & Independent Contractor Coverage
4.06
RiskOut-of-province contractors provide equivalent WCB/WorkSafeBC/CNESST coverage proof
Clearance from home-province WCB accepted with verification; WSIB reciprocal agreement provisions understood
4.07
ClassificationIndependent contractor vs. employee classification reviewed to confirm WSIB obligations
WSIB independent operator status verified or employer obligations confirmed where applicable
4.08
TrackingWSIB clearance renewal tracking is automated with pre-expiry alerts
System-generated reminders issued before clearance expiry; non-compliant contractors notified
Contract Management
Contract lifecycle, key clauses, renewals, change orders, and register
—
▼
Contract Formation & Execution
5.01
LegalStandard contract templates reviewed and approved by legal counsel
Templates current; schedule of approved templates maintained; non-standard contracts flagged to legal
5.02
ScopeScope of work is clearly defined, measurable, and referenced in the contract
Deliverables, timelines, acceptance criteria, and performance standards explicitly stated
5.03
PricingPricing, payment terms, invoicing schedule, and holdback provisions documented
Unit prices, not-to-exceed amounts, payment milestones, HST treatment, and holdback (10% default under CCDC) specified
5.04
LegalIndemnification and hold-harmless clauses included and mutually reviewed
Indemnification scope covers negligence, property damage, and third-party claims; legal review completed
5.05
LegalTermination for cause and termination for convenience clauses included
Notice periods, cure rights, and compensation on termination for convenience specified
5.06
LegalDispute resolution mechanism defined (escalation, mediation, arbitration, or litigation)
Step-escalation clause included; governing law (Ontario) and jurisdiction confirmed
5.07
LegalIntellectual property and data ownership provisions clearly defined
Work-product IP assigned to organization; confidentiality, data residency, and PIPEDA/PHIPA obligations addressed
5.08
LegalForce majeure provisions included and scoped appropriately
Trigger events defined; notice obligations, suspension vs. termination rights, and COVID-19 exclusions considered
5.09
ExecutionAll contracts fully executed (signed by authorized parties) before work commences
No verbal or email-only agreements for contracted services; executed copy filed and accessible
Contract Administration & Lifecycle
5.10
RegisterCentral contract register maintained with all key dates, values, and contacts
Start date, end date, renewal options, value, owner, and supplier contact recorded for every contract
5.11
RiskContract renewal and expiry alerts issued at 180, 90, 60, and 30 days
No contract expires without a conscious decision to renew, extend, or re-tender; no automatic rollovers
5.12
ChangesChange order process documented; all changes to scope/price approved before work proceeds
No verbal scope creep; written change orders signed by both parties before additional work commences
5.13
PerformanceKPIs and service level agreements (SLAs) monitored and reported during contract term
Formal KPI reporting cadence established; SLA breaches escalated and remediation tracked
5.14
CloseoutContract closeout checklist completed at end of engagement
Final deliverables accepted, final payment released (including holdback where applicable), warranties documented
Supplier Health & Safety Requirements
H&S policy, training, COR/SECOR, site safety plans, OHSA, and subcontractor requirements
—
▼
H&S Policy & Documentation
6.01
H&SSupplier's written Health & Safety policy on file and signed by senior management
Policy is dated within 12 months; reflects current OHSA obligations and organizational scope
6.02
H&SSite-specific safety plan submitted and approved before mobilization
Plan addresses site hazards, emergency procedures, PPE requirements, and project-specific risks
6.03
H&SCOR or SECOR certification confirmed (where required by contract or regulation)
Certificate of Recognition (COR) or Small Employer COR verified via provincial certifying partner
6.04
TrainingSupplier H&S orientation and site-specific training records maintained
Worker training documented by name, date, and topic; records accessible for audit
6.05
OHSAOHSA compliance attestation obtained — Bill 168 (violence/harassment) addressed
Supplier confirms compliance with Occupational Health and Safety Act; workplace violence/harassment policy in place
WHMIS, Equipment & Incident Reporting
6.06
WHMISWHMIS 2015 / GHS compliance confirmed for all hazardous materials used on site
Safety Data Sheets (SDS) current and accessible; WHMIS training records on file for workers
6.07
EquipmentEquipment and vehicle pre-use inspection records maintained by supplier
Daily inspection logs, maintenance records, and operator certifications on file for equipment
6.08
IncidentsIncident, near-miss, and injury reporting process documented and adhered to
Supplier reports critical injuries and MOL-reportable events; process for joint investigation in place
6.09
H&SSupplier's H&S performance history (lost-time injuries, MOL orders) reviewed pre-award
MOL order history, lost-time injury frequency, and WSIB experience rating reviewed as part of prequalification
Subcontractor H&S Requirements
6.10
SubcontractorsSubcontractor H&S requirements flow down from prime contract
Prime contractor contractually obligated to impose same H&S standards on all subcontractors
6.11
SubcontractorsSubcontractor list and H&S compliance status provided to organization before work begins
Organization approves subcontractors; no unauthorized substitutions permitted mid-project
6.12
Joint H&SJoint Health & Safety Committee (JHSC) access and rights communicated to supplier workforce
Contractor workers aware of right to refuse unsafe work; JHSC representative contact provided
📊 Risk Summary — Score Distribution
0
Score 1
Not in Place
0
Score 2
Partially in Place
0
Score 3
Mostly in Place
0
Score 4
Fully Under Control
📌 Action Notes & Remediation Plan