Legal Risk Assessment

Tools

Risk Scorer

Calculates risk scores from severity and likelihood inputs, assigns color-coded risk levels, and generates summary statistics.

# Score a single risk
python scripts/risk_scorer.py --severity 4 --likelihood 3 \
  --category "Contract" --description "Vendor SLA non-compliance"

# JSON output
python scripts/risk_scorer.py --severity 4 --likelihood 3 \
  --category "Contract" --description "Vendor SLA breach" --json

# Batch mode from risk register file
python scripts/risk_scorer.py --input risks.json --json

# Batch mode with human-readable output
python scripts/risk_scorer.py --input risks.json

Input JSON format (batch mode):

{
  "risks": [
    {"severity": 4, "likelihood": 3, "category": "Contract", "description": "Vendor SLA breach"},
    {"severity": 2, "likelihood": 2, "category": "Regulatory", "description": "Minor filing delay"}
  ]
}

Output includes:

• Risk score (Severity x Likelihood)
• Color-coded level (GREEN / YELLOW / ORANGE / RED)
• Recommended action (Accept / Monitor / Mitigate / Escalate)
• Batch summary statistics (count per level, average score)

Risk Report Generator

Generates a formatted risk assessment memo in markdown from a risk register JSON file.

# Generate memo from risk register
python scripts/risk_report_generator.py --input risk_register.json

# Save to file
python scripts/risk_report_generator.py --input risk_register.json --output memo.md

# JSON metadata output
python scripts/risk_report_generator.py --input risk_register.json --json

Report includes:

• ASCII risk matrix visualization
• Risk distribution summary (counts and percentages per level)
• Top risks ranked by score
• Recommended actions per risk with owner assignments
• Monitoring plan suggestions
• Escalation recommendations

Reference Guides

Risk Framework

references/risk_framework.md

Complete Severity x Likelihood matrix reference:

• Severity levels 1-5 with financial exposure percentages
• Likelihood levels 1-5 with probability ranges
• Risk matrix visualization
• Risk classification (GREEN/YELLOW/ORANGE/RED) with actions
• Documentation standards for memos and register entries

Escalation Guide

references/escalation_guide.md

When to engage outside counsel:

• Mandatory engagement triggers (litigation, investigation, criminal)
• Strongly recommended scenarios (novel issues, material exposure)
• Consider scenarios (complex disputes, employment, data incidents)
• Risk category definitions and contributing/mitigating factors

Workflows

Workflow 1: New Risk Assessment

Step 1: Identify risk category and description
        → Use references/risk_framework.md category definitions

Step 2: Score severity (1-5) and likelihood (1-5)
        → python scripts/risk_scorer.py --severity N --likelihood N \
          --category "Category" --description "Description"

Step 3: Review risk level and recommended action
        → GREEN: Accept and document
        → YELLOW: Assign owner and monitor
        → ORANGE: Escalate to senior counsel
        → RED: Immediate escalation, crisis management

Step 4: Determine outside counsel need
        → Consult references/escalation_guide.md

Step 5: Document in risk register
        → Add entry to register JSON file

Workflow 2: Periodic Risk Register Review

Step 1: Load current risk register
        → python scripts/risk_scorer.py --input register.json

Step 2: Generate assessment memo
        → python scripts/risk_report_generator.py --input register.json --output memo.md

Step 3: Review top risks and distribution
        → Focus on ORANGE and RED risks first

Step 4: Update severity/likelihood for changed risks
        → Re-score and regenerate report

Step 5: Distribute memo to stakeholders

Workflow 3: Escalation Decision

Step 1: Score the risk
        → python scripts/risk_scorer.py --severity N --likelihood N \
          --category "Category" --description "Description"

Step 2: Check escalation triggers
        → Mandatory: active litigation, government investigation, criminal exposure
        → Strongly Recommended: novel issues, jurisdictional complexity, material exposure
        → Consider: complex disputes, employment matters, data incidents

Step 3: Document escalation rationale
        → Include risk score, level, and specific trigger in memo

Step 4: Select outside counsel if needed
        → See references/escalation_guide.md criteria

Troubleshooting

Success Criteria

• All identified legal risks scored and documented -- every risk has severity, likelihood, category, description, and recommended action in the register
• Risk distribution reviewed quarterly -- memo generated and distributed to stakeholders with trend analysis
• ORANGE and RED risks have assigned owners and mitigation plans -- no high-severity risk without accountability
• Escalation decisions documented with rationale -- outside counsel engagement triggers clearly recorded
• Risk register maintained as living document -- risks updated, resolved, or archived as status changes

Scope & Limitations

In Scope:

• Quantitative risk scoring using 5x5 Severity x Likelihood matrix
• Risk register management and batch processing
• Risk assessment memo generation with matrix visualization
• Escalation guidance for outside counsel engagement
• Risk categorization (Contract, Regulatory, Litigation, IP, Data Privacy, Employment, Corporate)

Out of Scope:

• Legal advice on specific risk mitigation strategies -- consult legal counsel
• Insurance coverage analysis or actuarial calculations
• Regulatory filing or submission preparation
• Contract drafting or review
• Litigation strategy or case management

Anti-Patterns

• Scoring by committee consensus without criteria -- use the defined severity and likelihood scales consistently; do not negotiate scores to make stakeholders comfortable; a risk scored as 4 severity should match the framework definition
• Treating the risk register as a one-time exercise -- risk registers are living documents; risks change as circumstances evolve; schedule quarterly reviews and update scores accordingly
• Escalating everything to outside counsel -- the escalation guide defines specific triggers; not every YELLOW risk needs external counsel; over-escalation wastes budget and creates dependency
• Ignoring GREEN risks entirely -- GREEN risks still require documentation and periodic monitoring; a GREEN risk can escalate to YELLOW or ORANGE if circumstances change
• Using risk scores as the sole decision factor -- scores are inputs to judgment, not substitutes; qualitative factors like reputational impact or strategic importance may warrant action beyond what the score suggests

Tool Reference

risk_scorer.py

Calculates risk scores and assigns color-coded risk levels with recommended actions.

risk_report_generator.py

Generates formatted risk assessment memo from a risk register JSON file.