Contract risk scoring is the discipline of assigning a structured risk score to each contract — typically at intake, post-execution, or both — that drives downstream behavior: routing decisions, approval requirements, audit cadence, and renewal prioritization. Done well, risk scoring lets the team focus its limited attention on the contracts that actually matter; done poorly, it produces false confidence on contracts the score got wrong.
The four dimensions of contract risk
A working risk-scoring rubric assesses four largely-independent dimensions:
| Dimension | What’s being measured | Example signals |
|---|---|---|
| Financial | Dollar exposure, payment risk, revenue dependency | Total contract value, payment terms, single-customer concentration |
| Legal | Deviation from standard playbook positions | Liability cap, indemnification, IP terms, governing law |
| Operational | Complexity of obligations to deliver | SLAs, deliverables, integrations required, dependencies |
| Regulatory | Compliance and policy implications | Data protection, sector-specific rules, export controls, AI governance |
Each dimension produces a sub-score (typically 1-5 or low/medium/high). Combined, they produce an overall risk tier that drives downstream workflow.
How to construct the rubric
The most useful rubrics are simple — fewer dimensions, fewer levels, clearer triggers — than the fully-elaborated risk frameworks consultants tend to draft. A working version:
Step 1: Score each dimension on a 1-3 scale.
| Score | Meaning |
|---|---|
| 1 | Low — within standard parameters |
| 2 | Medium — non-standard but manageable |
| 3 | High — material deviation requiring attention |
Step 2: Use the maximum score across dimensions.
A contract scored 1-1-3-1 is a Tier 3 (high regulatory) contract regardless of the other dimensions. The maximum approach prevents the most-critical dimension from being averaged away.
Step 3: Map tier to workflow.
| Tier | Approval | Reviewer | Audit cadence |
|---|---|---|---|
| 1 | Self-serve via SOP | Auto / paralegal | None |
| 2 | Director approval | In-house attorney | Annual sample |
| 3 | GC approval | Senior attorney + outside counsel where needed | Active monitoring |
How AI changes contract risk scoring
Two main shifts:
- Automated scoring at intake. Claude, SirionLabs, and Ironclad AI can score every contract automatically against the rubric — financial dimension from the contract value field, legal dimension from clause comparison against playbook, operational dimension from deliverable analysis, regulatory dimension from data-classification keywords.
- Continuous re-scoring. As contracts approach renewal, performance data, counterparty health changes, and regulatory developments can update the score. Static intake-time scoring becomes living portfolio assessment.
The output isn’t just a risk number — it’s a structured set of flags that route the contract through the right workflow without manual triage.
Common pitfalls
- Single-dimension scoring. “Risk = total contract value” misses regulatory and operational risk. A $50K AI-vendor contract handling customer data may be higher risk than a $5M routine MSA.
- Score inflation over time. When approval requirements scale with score, business pressure pushes scores down. Audit the scoring distribution quarterly to detect drift.
- No re-scoring on changes. A contract scored low at intake but materially modified during negotiation should re-score. Without that step, the post-execution risk is mis-assessed.
- Risk tier doesn’t drive workflow. If Tier 3 contracts get the same review as Tier 1 in practice, the scoring is theater. The workflow must actually differentiate.
- Treating risk as static. Counterparty health changes, regulations evolve, AI changes capability. Periodic re-assessment of the rubric itself matters.
Related
- Contract review SOP — the workflow risk scoring drives
- MSA redlining rubric — operationalizes the legal-dimension scoring
- Vendor due diligence workflow — adjacent risk-scoring workflow for new vendors
- Contract lifecycle management — the system that holds risk-tier metadata