Risk Scoring Methodology

"This clause is risky" is not useful. Risky how? Risky compared to what? Risky enough to redline or risky enough to accept? Without a scoring methodology, risk assessment is subjective — and subjective risk assessment produces inconsistent decisions across reviewers, across engagements, and across time. A risk score converts judgment into a number that can be compared, tracked, and defended.

1. Dimension 1: Severity If this provision is triggered, how bad is the outcome? Uncapped financial liability is severity 5. A narrowly scoped warranty obligation is severity 2. Severity measures the worst-case consequence of the provision as written, not the probability that it will be triggered.
2. Dimension 2: Probability How likely is this provision to be triggered in a typical engagement? A data breach notification clause in a contract involving PII processing has higher probability than the same clause in a contract with no data exchange. Probability is context-dependent — the same clause carries different probability in different engagements.
3. Dimension 3: Controllability Can you mitigate the risk through your own actions, or does it depend on the other party? A warranty obligation you can fulfill through your delivery process is controllable. An indemnification triggered by the other party's regulatory non-compliance is not. Low controllability increases effective risk because the mitigation is not in your hands.
4. Composite Score Severity times probability, adjusted for controllability. A high-severity, high-probability, low-controllability provision is a [REDLINED] candidate. A high-severity, low-probability, high-controllability provision is a [RISK] — worth noting but potentially acceptable. The composite score makes the annotation decision defensible rather than instinctive.