Use a Risk-based Framework for Contract Review and Negotiation

Abstract and futuristic face


  • Talk it out. The most efficient way to recognize your organization’s operational risk is to talk with others – from leadership to project managers and technical staff.
  • One size doesn’t fit all. Adapt your contract review and negotiation strategy to fit the needs and risk tolerance of each business unit.
  • Risk matrix. A risk matrix should be a living document that identifies risks for further discussion, an approval process, and any expected exceptions.
  • Implementation. Obtaining leadership buy-in is the first step in developing a risk matrix. Once developed, training and consistent use are essential.

You move in-house after working in law firms for years. During your first few contract reviews, you identify every possible change and tell your operations teams that each of these contract changes is a “must have.” You begin to hear that your operations teams aren’t coming to you for contract reviews, or that they’re ignoring your changes. Does this situation sound familiar? Instituting a risk-based framework for contract review, negotiation, and implementation will encourage trust with operations teams and help you execute your company projects more effectively.

As in-house counsel, you’re often asked to wear two hats — both lawyer and businessperson. When negotiating a contract, a risk-based framework will help you balance legal and business risks. You should understand the general operational risks your company faces along with any particular sensitivities related to the contract you’re reviewing, provide flexible feedback, and generate consistency across contract reviews through a risk matrix.

It is crucial to understand operational risks faced by your organization. The easiest way to do this is to get to know your company and your staff. Talk to your teams.

Operational risks

It is crucial to understand the operational risks faced by your organization. The easiest way to do this is to get to know your company and your staff. Talk to your teams. Talk to the leadership team to gain an understanding of organization-wide operational risks. Talk to project managers and technical staff to learn about project-specific operational risks. Learn about what’s practical for your operations teams to achieve and work with them to develop a contract that reflects the team’s abilities and limitations. Keep in mind the company’s overall risk tolerance and consider whether the contract for this project will push your company out of its comfort zone for risk.

It is also crucial for an in-house counsel to understand the industry in which the company provides services. In-house counsel should consider joining an industry-specific in-house group to gain additional knowledge and expertise. ACC has networks addressing different practice areas. Each has a dedicated forum that allows in-house counsel to discuss the latest developments.

Flexible feedback

What works for one project or one business unit may not work for another. Adapting your contract review and negotiation strategy to fit those needs will make you a valued partner to each business unit. If one business unit is light on work, would it consider taking on risks that would normally be considered unacceptable? If one business unit takes on additional risk, do other areas become risk-averse? Or does your organization’s overall risk tolerance increase? Your company’s leadership team can provide guidance on these questions.

Your team also needs to adapt to the changing needs of your company’s clientele. They may have become more sensitive to delays in services during the pandemic and may also be less willing to compromise on schedule language in the contract. If that’s the case, how does your organization adapt?

Risk matrix

A risk matrix will help you provide consistent feedback to different operations teams within your organization. But a risk matrix is not a “dead” document — understanding operational risks and adapting to changing needs will lead to a risk matrix that is more flexible and relevant to your company.

Once you understand the operational risks that are of particular concern, identify key areas to include in a risk matrix. These key areas can include highlighting risky contract provisions for discussion; the type of contract and fee; and project-specific considerations such as the location of performance, the vendor’s reputation (good or bad), and whether the scope of services is reasonable.

Contract Lockdown Management

To learn how to better manage your contracts remotely, visit ACC Docket’s website:

The levels of review required within the company change as risk increases. For a low-risk project, a project manager may be able to sign the contract. For projects that are high risk, your senior leadership may choose to notify the company’s board of directors.

If you’re developing a risk matrix for the first time, obtaining buy-in on the use of a risk matrix to evaluate projects is critical. Your leadership team should be involved in creating and reviewing the risk matrix to ensure it meets your organization’s needs. Included herein is a sample of a risk matrix for a professional engineering company that utilizes four risk categories. Other organizations may utilize a points system or a color system in a risk matrix.

Example of a risk matrix
  1. PM’s may approve contract modifications or changes up to US$200K, provided risk profile and planned gross margin percentage GM% is unchanged from original baseline. Notification to “owning” BUL is required in advance of the commitment.
  2. The highest category reached by any one indicator for a particular commitment will determine the commitment’s category — no “offsetting” allowed.
  3. Risk and Contract Worksheet is reviewed and filled out.
  4. Concurrence required from COO for any Non-US project above Category 1.
  5. Studies/Consulting exception: a commitment to perform services in the nature of a study with revenue of up to US$2M, that does not include definitive engineering, estimates or evaluation of structural integrity, nor other unusual risks (i.e., heightened safety/security risk, or study used to substantiate 3rd party investment or financing, or to support raising of capital in public markets) may be considered Risk Category 1, even though there may be deviations from Risk and Contract Worksheet.
  6. Any Project in other than Risk Category 1 requires an advance project screening meeting prior to proposal preparation, and sufficiently in advance of final Management Commitment approval request. Required invitees are the noted commitment authorities
  7. Authority may be delegated from the President, Chief Operations Officer, or a Business Unit Leader to his/her designee in writing (copy of Delegation of Authority letter is to be filed with Vice President of Contracts & Risk Management). Persons holding higher office than specified also have signature/commitment authority.
  8. For international project locations, On-Call International (On-Call) data will determine the risk category at the time of review/commitment. Director of Safety/Security is required screening and concurrence authority for On-Call travel security rating of “high” or “extreme”.
  9. Projects that include procurement require concurrence from Procurement Manager who is a required invitee for all screening and will be a concurring authority in final management approval request.
  10. For all Business Units, with the exception of HPF (D-B) and NST (D-F), professional services provided as a subcontractor to a prime construction or fabrication contractor will be a minimum of a Risk Category 3. All Design-Build projects, including the Design-Build contractor, require concurrence from Design-Build Program Manager, prior to submitting a proposal.
  11. Notify CSS if a local country banking relationship needs to be established.
  12. All international agreements shall be reviewed by a local attorney in country to ensure we understand local laws, terminology, content and interpretations.

This sample risk matrix was developed — and updated — over the course of several years. The risk manager and senior leadership team decided what risk factors should be included. If any single risk factor is in an elevated category, the entire project falls under the elevated risk category, and the required approvals and review process change.

As your company prepares to utilize a risk matrix, consider making it multi-functional. Along with identifying risks for further discussion, include who has authority to approve the project. Identify who needs to be involved in the approval process and when they should be brought up to speed. If the organization intends for there to be an exception to a risk factor, identify it on the risk matrix.

Implementation of the risk matrix

Once you develop a risk matrix with the buy-in of your company’s leadership, training and consistent use are important. Your senior leadership should communicate the adoption of the risk matrix to project managers, business unit leaders, and others who need to be aware of the risk matrix. Ask your senior leaders to include the risk matrix in mandatory project management training going forward. You can deliver training on the use of the risk matrix directly, or train appropriate individuals to teach their staff how to use this tool.

As your company prepares to utilize a risk matrix, consider making it multi-functional. Along with identifying risks for further discussion, include who has authority to approve the project.

It is also helpful to ask a member of your leadership team to attend training provided to project managers and other members of the operations teams who will be involved in utilizing the risk matrix. He or she can emphasize the importance of utilizing the matrix, and the expectation that project managers do so. This is not a one-time training. Remind your operations teams about the risk matrix in all contract-related and project management-related training to help keep it fresh in their minds.

Risk matrix in action

The following is an example of the risk matrix in action.

Company A is an engineering firm that is looking to expand its geographic footprint. When the operations team sat down to review the opportunity, they came away with the following observations from the risk matrix:

  1. the expansion is to another state within the United States, and does not introduce new technology or elevate the technical complexity of the project;
  2. The services are what the company considers to be “traditional” architecture and engineering services;
  3. The customer is new to the company. Based on informal conversations with engineers at other companies, the client can be difficult to work with, and has refused to pay other engineering firms over minor issues;
  4. The anticipated scope of services is clear, with a schedule that the operations team feels comfortable it can meet;
  5. The team looked into the client’s financial history and sees nothing negative or alarming; and
  6. The contract complies with the engineering company’s mandatory contract provisions, including a waiver of consequential damages.

Because the client has a reputation for harsh treatment of its consultants, the operations team designates the potential expansion as a Risk Category 3. The team notifies their business unit leader so that the appropriate individuals can review the project and weigh in on whether to pursue it. All of the required individuals attend a briefing led by the operations team. The company’s chief operations officer polls the room. After a lively discussion of performance and contractual, the operations team receives the go ahead to pursue the work. The operations team is tasked with developing a plan that mitigates the risk of working with a difficult client and the project moves forward.


The bottom line when developing a risk matrix and moving your organization toward a risk-based framework for contract negotiation is to find what works for your situation. Use it often and make improvements over time. As needs change, your risk matrix should be updated to remain relevant.

In-house counsel are asked to be both lawyer and businessperson. Effective use of a risk matrix and proving yourself flexible and reasonable will ensure that you have a seat at the table for important conversations.

ACC EXTRAS ON… Contract review and negotiation

ACC Docket

Negotiating Data Privacy in Multivendor Technology Contracts (Aug. 2019).

The Operational GC: Turn Your Contracts into Real, Day-to-Day Risk Mitigation (Nov. 2019).

Business Decision Expedition: Don’t Get Turned Around During Contract Negotiations (Jan. 2020).