One of my favourite jokes goes like this: “There are three types of people in the world: those who can count and those who can’t”. Dividing things into a binary system sounds hopelessly simplistic, but perhaps that is a source of strength, not a weakness? H.A. Simon was a guru of decision-making and he classified all decisions into two types.
A programmed decision is routine, repeatable, and can be handled by a rule. An example might be: “Is the total of value the procurement greater than $25,000?” A non-programmed decision is novel, ambiguous, and needs judgement. “Is the supply market concentrated, distorted or otherwise complex?”
There has been a shift from threshold-based procurement governance to risk- and complexity-based governance over the last 25 years. The implication is that this migration pushes non-specialist users of procurement governance from making “programmed” decisions into making “non-programmed” decisions. That distinction matters, because governance is only as good as the decisions people actually make when they are under time pressure, juggling other responsibilities, and trying to get something done.
Two unspoken truths
Forty five years working in procurement has taught me that:
The quality and quantity of information available to casual users about risk, complexity, the category, and the supply market is often less than what is needed to make an informed choice of procurement method:
The capability required to interpret that information correctly is often greater than the capability of the people the governance is intended to guide.
But wait! There’s more bad news.
The magnificently named George Zipf came up with the Principle of Least Effort. I could explain the principle, but to be honest, I can’t be bothered. It states that people tend to choose the path that requires the least work. In procurement governance, that often translates into:
“This is low risk” (so I can do a light-touch RFQ)
“The market is simple” (so I don’t need engagement)
“We know the supplier” (so I don’t need competition)
“It’s urgent” (so I can use an exemption)
When writing any governance authors need to remember that the people most likely to need to know what they can and cannot do are:
part-time procurement participants
operational leaders under service delivery pressure
project managers focused on timelines
subject matter experts focused on technical outcomes
Procurement is not their job role. Governance is a hoop to jump though to get things done. Under those conditions, least effort is normal human behaviour. The uncomfortable implication is this: a risk-based system can create perverse incentives. If a lower risk rating leads to less work, then some people will gravitate toward lower ratings, consciously or not.
Why Kraljic-style models are hard for casual users
Many governance frameworks use portfolio thinking, often simplified from Kraljic’s Matrix. The promise is elegant: classify the acquisition based on dimensions such as supply risk and profit impact (or value/criticality), then apply an appropriate sourcing strategy.
In practice, for infrequent users, the model creates three problems.
1) Calibration is hard
What does “high risk” mean? Do we average out the risk level of all of these risks:
· probity and integrity risk (bias, conflicts, perception issues)
· safety risk (public safety, WHS, critical infrastructure)
· service continuity risk (impact on customers)
· financial risk (overruns, claims, insolvency)
· data and privacy risk (systems, personal data)
· reputational and political risk (media scrutiny)
· market risk (thin market, limited competition)
· delivery complexity (interfaces, dependencies, stakeholder variety)
2) Information needed to use the matrix may not be readily available
To classify purchases properly, you need information that many stakeholders do not have at the start:
· how concentrated the supplier market is
· switching costs
· contract criticality to service delivery
· supply chain fragility
· regulatory or safety exposure
· performance history and failure impact
3) The model is abstract
Portfolio models help create a strategic perspective on a portfolio of projects. But they are most often used to categorise individual purchases, not comparing multiple categories. Most purchases are tactical and time bound. Asking a project manager to do MBA-level market research for a one-off purchase can result in performative compliance. Interacting with the matrix becomes a compliance activity, not a decision making activity. The classification is performed but the outputs may not be believed.
Risk and complexity are not one thing
One reason that casual users find navigating risk-based governance difficult is that “risk” is a bundle of different risks that do not move together. When governance states “select the method based on risk and complexity,” it can fail to specify which risks matter most, and how they should be weighted.
That means users do what humans do: they simplify the problem. They pick one risk dimension they understand (often financial value), or they default to a comforting label (“low risk”). This highlights that the capability required to integrate multiple risk variables is higher than many users possess, especially if they only do this occasionally.
Decision aids and the Goldilocks problem
People who design governance (including me) try to help with tools: flow charts, decision trees, algorithms, guided questionnaires. These tools are well intentioned, but they can land in one of two failure modes.
Failure mode A: Too simple to protect the organisation
A simple flow chart that asks three questions will quick but it won’t catch important nuances. It will green-light approaches that are inappropriate for probity-sensitive or safety-critical categories.
Failure mode B: Too complex to be used
A detailed tool with 20 questions and multiple branches will be accurate, but it will feel like an examination. Users will avoid it, rush it, or answer strategically to get the outcome they want.
The “Goldilocks Zone” is hard because procurement governance is trying to do two jobs at once:
Enable good buying at speed
Assure integrity, value, and defensibility
What actually happens in organisations
When information and capability are misaligned with governance expectations, predictable behaviours show up:
Downward bias in risk scoring to access simpler pathways (Zipf)
Overuse of “standard” procurement methods regardless of category fit
Template compliance without genuine analysis
Escalation only after problems occur (late involvement of procurement)
Inconsistent decisions across business units doing similar buys
Procurement as gatekeeper rather than advisor, because decisions are not trusted
This is where Simon’s framing bites: non-programmed decisions require experience, time, and feedback loops. Some users may not possess these attributes, and so the governance won’t really help them make better decisions.
Depressing Conclusion
If my two “unspoken truths” are valid, then a risk or complexity-based governance regime needs to define:
What is the minimum viable information needed to classify a purchase?
How do we generate or supply that information early (market intelligence, category profiles, supplier performance history)?
Who is licensed to make these judgements?
What decisions must be supported by procurement specialists or a centre-led team?
What training or “just-in-time” support is realistic for infrequent users?
Risk- and complexity-based procurement governance are conceptually better than pure threshold governance. But it is also a human system, not a logic puzzle.
When the required information is missing and the required capability is uneven, people will default to the easiest path. That is not a moral failing. It is predictable behaviour.
The real governance challenge is not designing a smarter matrix. It is designing decision-making conditions where the “right” pathway is also the “easiest” pathway.