Understanding the framework for a legal risk assessment is one thing. Seeing what a finished report actually looks like is another. This article walks through a completed sample report for a fictional e-commerce company — showing how risks are identified, rated, and documented — and provides a free blank template you can adapt for your own organization.
If you are new to legal risk assessments, start with our guide on How to Perform a Legal Risk Assessment, which covers the five-step framework in detail. This article picks up where that one ends — at the output stage.
What Does a Finished Legal Risk Assessment Report Look Like?
A legal risk assessment report is a structured document with three core components: an executive summary, a risk register, and an action plan. The executive summary gives leadership a quick view of total risks by category and severity. The risk register is the detailed record — one entry per identified risk, with a description, likelihood rating, impact rating, overall rating, and recommended action. The action plan converts the high-priority findings into assigned tasks with owners and deadlines.
Most reports also include a methodology section that explains how the assessment was conducted — what documents were reviewed, who was interviewed, and what standards were applied. This is important for credibility and for legal defensibility if the report is ever examined in litigation.
- →Executive Summary: Risk counts by category and severity level. One page or less.
- →Risk Register: One entry per risk. Includes ID, category, description, likelihood, impact, rating, and recommendation.
- →Action Plan: High-priority items only. Owner, deadline, and status for each.
- →Methodology: Scope, data sources, and rating framework used.
- →Sign-off: Signature block for the preparer, reviewer, and approver.
How Risk Ratings Work
The standard approach is a 2×2 matrix. You assess each risk on two dimensions: likelihood (how probable is it that this risk materializes?) and impact (how serious would the consequences be?). Each dimension is rated Low, Medium, or High.
The overall risk rating is driven by the higher of the two scores, with some judgment applied. A risk that is unlikely but would be catastrophic if it occurred — a data breach exposing millions of records, for example — is rated High even though the likelihood is Low. A risk that is likely but low-impact can usually be addressed through routine policy updates rather than immediate escalation.
Rating shortcut: High likelihood + High impact = HIGH (immediate action). Either dimension High + other Medium = HIGH or MEDIUM (judgment call). Both Low = LOW (monitor and address in normal course).
Example 1 — Completed Sample Report: E-Commerce Company
The sample report below covers Pinnacle Commerce LLC — a fictional direct-to-consumer e-commerce business with 45 employees, operating across the U.S. and selling to EU customers. The assessment identified 12 risks across five categories: contract management, employment compliance, data privacy, intellectual property, and consumer protection.
Three risks were rated HIGH and required immediate action. Six were rated MEDIUM and were assigned to specific owners with 30–90 day deadlines. Three were rated LOW and added to the quarterly compliance calendar. The report structure below is typical for a company of this size.
A few things to notice in this example. First, the executive summary table gives a fast signal — anyone reading the report can see at a glance that data privacy and employment carry the most acute risks. Second, each risk entry in the register is actionable: it names what must change, not just what is wrong. Third, the high-priority items in the action plan each have an owner and a deadline. Risk registers without ownership rarely produce results.
Notice also how the three HIGH-rated items (CR-01, EMP-01, DP-01) all involve situations where the company had known about the arrangement — vendor indemnification, California remote workers, GDPR data transfers — but had not specifically assessed the legal exposure. That pattern is common. The risks are not hidden. They are simply unexamined.
Example 2 — Blank Template: Run Your Own Assessment
The blank template below uses the same structure as the sample report. It includes pre-populated risk categories and IDs, a summary table, a risk register with eight blocks ready to fill in, an action plan table, and a sign-off section. Add or remove rows as needed for your organization.
The template is designed to work for companies of any size. A solo founder can complete it in a few hours. An in-house legal team at a mid-size company might use it as the basis for a more comprehensive annual review. The goal is the same either way: documented, prioritized, assigned.
When filling in the template, start with the categories most relevant to your business. A SaaS company should begin with data privacy and contract management. A staffing firm should start with employment compliance. A hardware startup should prioritize intellectual property and product liability. Scope the assessment to what actually matters in your specific context — a generic risk register that covers everything superficially is less useful than a focused one that goes deep on your three highest-exposure areas.
Common Mistakes in Legal Risk Assessment Reports
The most frequent error is vague risk descriptions. "Contract risk" is not a risk entry. "Vendor MSA contains uncapped indemnification — company bears unlimited liability for supplier errors" is. Specific descriptions produce specific recommendations. Vague descriptions produce nothing actionable.
The second common mistake is rating every risk as Medium. This is a comfort response — it avoids the discomfort of escalating a real High-rated risk to leadership. But if every risk is Medium, the report provides no signal. The goal is honest prioritization, not even distribution.
The third mistake is completing the assessment and filing it away. A legal risk assessment is only useful if it drives action. The action plan section exists precisely to prevent the report from becoming a document that proves you thought about risk once, rather than a system that actually manages it.
How AI Speeds Up Report Creation
Building a risk register manually is time-consuming. Reviewing 40 contracts to check indemnification caps takes days. Scanning employment practices against current federal and state law requires legal research across multiple jurisdictions. Assessing GDPR data processing agreements requires comparing current vendor contracts against the specific requirements of Articles 28 and 46.
AI tools accelerate the data-gathering phase of the assessment. A contract review tool can scan a library of vendor agreements in minutes, flagging clauses that deviate from standard market terms. A legal document summarizer can extract key obligations from a 60-page supply agreement in seconds. A research tool can identify the current state of enforcement in a specific regulatory area without requiring hours of case law review.
The output of AI tools becomes input to the risk register. You still apply judgment — deciding whether a flagged clause rises to Medium or High, determining which risks require immediate outside counsel, and approving the final action plan. But the underlying document review that would previously take a week can often be completed in a single working day.
Use the Contract Clause Analyzer to quickly identify non-standard or high-risk clauses across your vendor and customer agreements. Use the Legal Document Summarizer to extract key obligations from long contracts before adding them to your risk register. Both are free and require no account.
For employment compliance specifically, the Worker Classification Checker applies the IRS behavioral control, financial control, and relationship-type tests to your specific worker arrangements — surfacing misclassification risk before it becomes an audit finding. For companies with privacy obligations, the Privacy Policy Analyzer flags gaps between your stated policy and GDPR or CCPA requirements.
No account required · Instant results · Powered by Claude Sonnet
Disclaimer: The sample report and template in this article are for educational and operational reference only. They do not constitute legal advice and do not create an attorney-client relationship. Risk ratings, findings, and recommendations in the sample report are entirely fictitious. Consult a licensed attorney to validate your assessment and act on identified risks.
Editorial note: AI For Legal Research publishes independent content. We do not accept payment for editorial coverage or review scores. Nothing on this site constitutes legal advice. Always consult a qualified attorney for legal matters.