On September 23, 2024, the US Department of Justice released an updated Evaluation of Corporate Compliance Programs (ECCP) that hard-coded continuous third-party due diligence as the new baseline.
| The Contract Risk Assessment Checklist Cheat Sheet |
| US enterprises lose around 11% of contract value once deals move into delivery. On a $500M contract base, that is roughly $55M a year in leakage. A working Contract Risk Assessment Checklist closes most of it. |
| The DOJ September 2024 update to the Evaluation of Corporate Compliance Programs makes ongoing third-party due diligence a continuous obligation. One-time pre-signing checks no longer satisfy prosecutors. |
| Score every contract on a 5×5 matrix tied to ISO 31000:2018. Severity covers financial, regulatory, and reputational exposure. Probability is residual after existing controls. |
| Six risk categories drive 90% of contract issues: financial / commercial, legal / regulatory, operational / SLA, third-party / cyber, reputational / ESG, and force majeure. |
| 30% of negotiated contracts hit a substantial disagreement at some point. Only 0.007% reach a court ruling. The Contract Risk Assessment Checklist is what keeps issues out of the courtroom and inside commercial review. |
| Tie every contract to a named risk owner, a renewal review trigger, and a change-control workflow. Standalone contract registers fail every audit. |
| Build the checklist as a living document that refreshes per contract event: signature, milestone, payment, scope change, vendor patch, regulatory update. |
Pre-signing checks alone no longer satisfy federal prosecutors. Every active US enterprise contract now sits inside a regulatory expectation that did not fully exist in 2023, and the Contract Risk Assessment Checklist is the document that proves the program is working.
Layer the financial picture on top. World Commerce & Contracting and Ironclad’s 2024 benchmark estimates US enterprises lose 11% of contract value once deals move into delivery. On a $500M contract base, that is $55M a year.
The World Commerce & Contracting (WorldCC) capability data puts clarity of responsibilities and process maturity at the top of the gap list. A working Contract Risk Assessment Checklist is what closes the leakage and the prosecution risk in the same document.
Figure 1. The financial leakage a Contract Risk Assessment Checklist closes.
What a Modern Contract Risk Assessment Checklist Has to Cover
A modern Contract Risk Assessment Checklist is a working document. A named risk owner signs it off. It scores every active contract against six risk categories and triggers escalation when residual risk crosses a defined threshold.
It is not a one-time pre-signature gate. It is not a procurement formality. It is the artifact prosecutors, auditors, and the audit committee will all ask for first.
Two design choices separate a working Contract Risk Assessment Checklist from a binder no auditor trusts. First, scope at the contract level, not the relationship level.
A single supplier with five contracts has five risk profiles, not one. Second, name a human risk owner per contract, not per category. Without that named owner, the checklist is decoration.
Where the Contract Risk Assessment Checklist Sits in the Wider Risk Stack
| Layer | Authoritative reference | Role for the Contract Risk Assessment Checklist |
| Hazard methodology | ISO 31000:2018 | Identify, analyze, evaluate, treat, monitor |
| Compliance program | DOJ ECCP September 2024 update | Continuous third-party due diligence and risk-based testing |
| Anti-bribery | DOJ FCPA Resource Guide + ISO 37001 anti-bribery management | Third-party screening, payment red flags, training records |
| Enterprise risk | COSO ERM framework | Routes residual contract risks into the enterprise risk register |
| Sanctions | Treasury OFAC sanctions list | Counterparty and beneficial-owner screening at signing and annually |
| Federal procurement | Federal Acquisition Regulation (FAR) | Government-contracts compliance, flow-down clauses |
How the DOJ 2024 Update Reshapes the Contract Risk Assessment Checklist
The DOJ Criminal Division’s September 23, 2024 ECCP update is the biggest US compliance shift for contracts in three years. Three things change at once. Continuous third-party due diligence replaces one-time vetting.
Root-cause analysis becomes mandatory after FCPA resolutions. AI and data governance become explicit ECCP topics. Every Contract Risk Assessment Checklist drafted before October 2024 is now under-spec.
In practice, the 2024 ECCP update treats the Contract Risk Assessment Checklist as the document that demonstrates the program.
Pre-signing screening, payment monitoring, scope-change review, and post-incident root-cause analysis all leave a trail. The Skadden summary of the 2024 ECCP update gives a clean US-language reference.
DOJ ECCP 2024 Expectations the Contract Risk Assessment Checklist Must Carry
| ECCP topic | What the DOJ now expects | Where it lands on the Contract Risk Assessment Checklist |
| Continuous third-party due diligence | Risk-based monitoring throughout the relationship, not at signing only | Annual recertification; trigger-based re-screening on payment, scope, or ownership change |
| Root-cause analysis | Required after FCPA resolutions; expected as best practice generally | Mandatory column on every red-zone contract; lessons-learned feed back into the checklist |
| AI and data governance | Companies must consider AI risks in compliance programs | AI-use disclosure clause + monitoring KPI per contract |
| Whistleblower protections | Demonstrable channels and protections | Counterparty attestation that subcontractors can report concerns |
| Resource allocation | Sufficient staffing for higher-risk priorities | Risk-based staffing model documented per contract tier |
| Lessons learned | Demonstrable feedback loop | Quarterly contract-incident review with action tracker |
The Six Categories on Every Contract Risk Assessment Checklist
Six risk categories drive roughly 90% of US enterprise contract issues: financial and commercial, legal and regulatory, operational and SLA, third-party and cyber, reputational and ESG, and force majeure.
The Contract Risk Assessment Checklist scores each category for every active contract. A checklist that omits one of the six is incomplete by definition.
Figure 2. Where Contract Risk Assessment Checklist issues land by category.
The Six Categories on the Contract Risk Assessment Checklist Explained
| Category | What it covers | Top items the Contract Risk Assessment Checklist must score |
| Financial / commercial | Pricing, payment, leakage, currency, tax | Price escalation, auto-renewal, rebates, currency exposure, tax withholding, credit limits |
| Legal / regulatory | Jurisdiction, statute, license, FCPA, sanctions | Governing law, liability cap, indemnity, FCPA / OFAC screening, regulatory carve-outs |
| Operational / SLA | Performance, delivery, change control | SLA metrics, service credits, scope-change protocol, acceptance criteria, exit assistance |
| Third-party / cyber | Vendor health, sub-contractors, data security | Cyber attestation, SOC 2 / ISO 27001, sub-tier flow-down, breach notification clause |
| Reputational / ESG | Sustainability, modern slavery, sanctions adjacency | ESG attestation, supply-chain transparency, modern-slavery statements |
| Force majeure | Pandemic, geopolitical, climate, infrastructure | Definition scope, notice requirements, mitigation duty, termination triggers |
Worked 5×5 Contract Risk Assessment Checklist Matrix
The 5×5 matrix is the workhorse for a Contract Risk Assessment Checklist. Score severity on a combined dimension covering financial, regulatory, and reputational exposure. Score probability as residual likelihood after existing controls.
The same inherent versus residual risk approach applies here. A contract with major severity and almost-certain probability scores a 25 (Critical). The contract does not move forward until the score drops below 12.
Figure 3. A 5×5 matrix for the Contract Risk Assessment Checklist, ISO 31000-aligned.
Worked Contract Risk Assessment Checklist Scoring Examples
| Contract scenario | Severity (1-5) | Probability (1-5) | Risk score | Risk-based control decision |
| Foreign-sourced supplier with FCPA exposure | 5 | 3 | 15: High | Enhanced DD + payment monitoring + annual recertification |
| SaaS vendor processes regulated US health data | 5 | 4 | 20: Critical | BAA + SOC 2 Type II + breach SLA 24h + DPIA |
| Auto-renewing $5M services contract | 3 | 5 | 15: High | Renewal trigger 90 days out + competitive benchmarking + scope re-review |
| Force-majeure clause silent on pandemics | 4 | 3 | 12: High | Renegotiate definition + add notice and mitigation duties |
| Subcontractor on federal contract not flow-downed | 5 | 3 | 15: High | Add FAR flow-down clauses + sanctions screening of all sub-tiers |
| Sole-source critical-component supply | 5 | 2 | 10: High | Backup-supplier qualification + buffer inventory + force-majeure carve-out |
| Boilerplate NDA for public-source data | 1 | 3 | 3: Low | Standard template; minimal review; quarterly renewal |
The Ten-Step Contract Risk Assessment Checklist Workflow
A workflow is what keeps the Contract Risk Assessment Checklist usable across the contract lifecycle.
The ten-step version below runs from pre-signing through retirement, scoring risk at every event that changes the exposure profile: signature, milestone, payment, scope change, ownership change, and renewal. It aligns to the DOJ 2024 ECCP expectation on continuous third-party due diligence.
The Ten Steps of a Contract Risk Assessment Checklist
| Step | Action | Inputs | Outputs |
| 1 | Define scope and contract tier | Spend value, regulatory exposure, criticality | Contract tier (Tier 1/2/3) + risk-based DD level |
| 2 | Counterparty due diligence | Beneficial-owner data, OFAC, watchlists, financials | DD memo + go/no-go flag + ownership chart |
| 3 | Score the six risk categories | Draft contract + commercial term sheet | Inherent risk score per category |
| 4 | Map controls to risks | Existing playbook clauses + insurance program | Control map + gap list |
| 5 | Score residual risk | Inherent score + control effectiveness | Residual risk score and band per category |
| 6 | Negotiate priority gaps | Gap list + commercial leverage | Marked-up draft + concession log |
| 7 | Sign-off and risk-owner assignment | Final contract + escalation matrix | Signed contract + named risk owner |
| 8 | Operationalize monitoring | SLAs, KPIs, KRIs | Monitoring dashboard + escalation triggers |
| 9 | Trigger-based re-assessment | Change events: scope, payment, ownership, regulation | Updated checklist + risk-register update |
| 10 | Renewal or retirement | Performance data + market benchmarking | Renew, renegotiate, exit; lessons learned |
Where Contract Risk Assessment Checklist Programs Stall: The Dispute Funnel
Most contract issues never reach a courtroom. World Commerce & Contracting research shows 30% of negotiated contracts hit a substantial disagreement at some point in their life. Only 0.007% reach a litigation or arbitration ruling.
The gap is where commercial review, escalation, and informal resolution do the work. The Contract Risk Assessment Checklist is what triggers those reviews early enough to keep them informal.
Figure 4. The dispute funnel a Contract Risk Assessment Checklist intercepts.
Contract Risk Assessment Checklist Patterns by US Sub-Sector
The same Contract Risk Assessment Checklist skeleton applies across the US economy, but the failure modes shift by sub-sector.
Patterns below come from FY2023-FY2024 enforcement data combined with client engagements across financial services, healthcare, manufacturing, technology, and federal contracting.
Sub-Sector Patterns the Contract Risk Assessment Checklist Must Reflect
| Sub-sector | Highest-risk contract types | Top failure patterns | Where the checklist must dial up |
| Financial services | Vendor outsourcing, MSAs, derivatives, intercompany | OCC / SR 11-7 model risk, sanctions exposure | OCC third-party guidance + DORA-style critical-vendor flag |
| Healthcare / life sciences | BAA, clinical-trial agreements, supply | HIPAA breach exposure, FDA quality-agreement gaps | HHS HIPAA business associate guidance scope; FDA quality agreement; FCPA in foreign trials |
| Manufacturing | Supply contracts, distribution, OEM | Supply continuity, force majeure, IP | Sole-source flag, force-majeure scope, IP clauses |
| Technology / SaaS | Customer MSA, sub-processor, AI clauses | Data residency, sub-processor breach, AI-use disclosure | DPA/sub-processor list, AI risk clauses, exit assistance; align to the NIST Cybersecurity Framework 2.0 |
| Federal contracting | Prime, sub, IDIQ, cooperative agreements | FAR flow-down, sanctions, cyber per CMMC | FAR flow-down clauses + CMMC alignment |
Common Pitfalls in Contract Risk Assessment Checklist Programs
Most stalled US Contract Risk Assessment Checklist programs fail in predictable ways. The list below covers the seven traps that come up most often during second-line reviews and post-incident remediation.
Use it as a self-audit before the next quarterly contract review or DOJ-style program review.
| Pitfall | Root cause | Remedy |
| Checklist run only at signing | Treated as a procurement gate, not a lifecycle tool | Add trigger-based re-assessment at scope change, payment event, regulatory update |
| No named risk owner per contract | Function-level rollup hides accountability | Name a single human risk owner per active contract with halt authority |
| Generic 5×5 matrix, never tailored | Borrowed template, identical scoring scales for every contract type | Calibrate severity scales to contract tier; document scoring rationale per category |
| Auto-renewal blind spots | No central calendar of renewal triggers | Centralize renewal triggers; 90-day pre-renewal review on every Tier-1 contract |
| Sub-tier exposure ignored | Due diligence stops at the Tier-1 counterparty | Flow-down clauses + sub-processor list + sub-tier sanctions screening |
| No FCPA / sanctions integration | Compliance and contract teams operate in silos | Single workflow: legal + compliance + procurement + risk; OFAC re-screen on every renewal |
| Checklist disconnected from risk register | Built outside ERM | Map every Contract Risk Assessment Checklist score to a registered risk and a control via the project risk register |
Frequently Asked Questions About the Contract Risk Assessment Checklist
What is a Contract Risk Assessment Checklist?
A Contract Risk Assessment Checklist is the documented analysis that scores every active contract on financial, legal, operational, third-party, reputational, and force-majeure risk. Each score ties to a control and a named risk owner.
Residual risk above a defined threshold triggers escalation. The framework anchors on ISO 31000:2018, the DOJ ECCP September 2024 update, and the FCPA Resource Guide.
How often should a Contract Risk Assessment Checklist be reviewed?
A Contract Risk Assessment Checklist refreshes per contract event, not per calendar quarter. Trigger conditions include scope change, payment event, ownership change, sanctions update, regulatory shift, breach or near-miss, and renewal date.
Tier-1 contracts get a default annual review on top of those triggers. Tier-3 boilerplate contracts can run on a longer cycle with documented justification.
What categories must a Contract Risk Assessment Checklist cover?
A Contract Risk Assessment Checklist must cover six categories: financial and commercial, legal and regulatory, operational and SLA, third-party and cyber, reputational and ESG, and force majeure.
Each category has its own scoring scale and its own controls. A checklist that omits one category typically fails the audit it was built to pass, no matter how detailed the other five are.
How does the DOJ 2024 ECCP change the Contract Risk Assessment Checklist?
The September 2024 DOJ ECCP update makes ongoing third-party due diligence a continuous obligation. It requires root-cause analysis after FCPA resolutions. It adds AI and data governance as explicit topics.
And it reinforces whistleblower-protection expectations. The Contract Risk Assessment Checklist now needs trigger-based re-assessment, root-cause columns on red-zone contracts, AI-use disclosure clauses, and counterparty whistleblower attestation.
Who owns the Contract Risk Assessment Checklist program?
The Chief Risk Officer or General Counsel owns the enterprise program. Day to day, every active contract has a named human risk owner.
The deal lead owns commercial contracts. The compliance officer owns FCPA-exposed deals. The CISO owns technology and SaaS contracts. The sourcing director owns supply contracts. Without a named owner per contract, the Contract Risk Assessment Checklist is decoration.
How does the Contract Risk Assessment Checklist link to ISO 31000 and COSO ERM?
The Contract Risk Assessment Checklist feeds the monitor-and-review step of the ISO 31000 risk management lifecycle and populates the performance dimension of COSO ERM.
Each scored hazard maps to a registered risk and to one or more controls. That linkage is what closes the loop between contract review and enterprise risk reporting.
How does a Contract Risk Assessment Checklist differ from a contract review checklist?
A contract review checklist looks at the document at one point in time, usually pre-signature. The Contract Risk Assessment Checklist scores risk across the lifecycle: signing, performance, change events, renewal, exit.
The first is a legal-review tool. The second is an enterprise-risk tool. Mature US programs run both on a shared inventory, with the same risk categories, so the legal and risk views agree.
What are the biggest risks the Contract Risk Assessment Checklist catches?
The biggest risks the Contract Risk Assessment Checklist catches are the financial leakage behind the World Commerce & Contracting 11% benchmark, the FCPA and sanctions exposures the DOJ ECCP now expects to be monitored continuously, the cyber and data exposures sitting inside SaaS sub-processors, the auto-renewal blind spots that lock in stale pricing, and the force-majeure clauses that silently exclude pandemics or geopolitical disruption.
Where the Contract Risk Assessment Checklist Is Heading: 2026-2028
The Contract Risk Assessment Checklist is mid-shift. Three shifts will shape the next 24 months for US enterprises: AI-driven contract analytics moving from pilot to production,
DORA-style continuous-monitoring expectations bleeding into US programs through cross-border vendors, and tighter SEC and DOJ enforcement on third-party compliance after the 2024 ECCP update.
AI contract analytics will move from sampling to full-corpus review. Expect tools that ingest the full contract base, flag deviations from playbook clauses, score residual risk, and surface renewal triggers without manual prompts.
The DOJ ECCP 2024 emphasis on AI and data governance puts AI inside the program scope, not outside it. Every Contract Risk Assessment Checklist in 2026-2027 will need an AI-use disclosure clause and a model-monitoring KRI.
DORA-style continuous monitoring is bleeding into US programs through cross-border vendors. US firms working with EU-regulated counterparties already carry DORA flow-down expectations on critical ICT third parties.
The EU Digital Operational Resilience Act (DORA) sets a continuous-monitoring bar that is now showing up in US Contract Risk Assessment Checklist designs even where DORA does not strictly apply.
Enforcement is tightening. Expect SEC enforcement and DOJ activity in 2026-2027 to focus on whether US companies have actually operationalized the September 2024 ECCP changes.
The first wave of enforcement will look at root-cause documentation, third-party recertification cadence, and AI-use disclosure. A Contract Risk Assessment Checklist refreshed before October 2024 is now a compliance liability.
Need help building or refreshing a Contract Risk Assessment Checklist for a US enterprise under the DOJ 2024 ECCP, ISO 31000, and COSO ERM? See our risk-advisory services or get in touch.
For more risk-assessment resources, see the complete guide to the risk assessment process, what is a risk assessment, how to conduct a risk assessment, and the regulatory compliance risk assessment template.
Adjacent reads from the Risk Publishing library: the third-party risk management framework for 2026, the essential risk management process flow chart, the free Excel risk register template, key elements of a risk register, risk mitigation in project management, the business continuity management lifecycle, and the risk-assessment templates library
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.