Advanta is currently undergoing final system calibration ahead of launch. Selected infrastructure and experiences may still be in active refinement.

advanta

HomeModule Library

P1

Risk Matrix — Use Case × Risk Taxonomy 2026 × Likelihood

·

3–6 hours per use case; 2–3 days for full portfolio review

STR-03 · Risk Matrix — Use Case × Risk Taxonomy 2026 × Likelihood

Purpose

Provide a systematic, repeatable framework to evaluate AI adoption opportunities in legal functions by quantifying risk across five weighted dimensions and mapping each use case to Risk Taxonomy 2026. The matrix produces a composite risk score (Weighted Impact × Likelihood), applies supplemental modifiers, and converts the result into clear governance actions and adoption recommendations.

Use cases with scores ≥10.0 (High Risk) automatically generate GOV-03 Risk Register entries and require STR-07 AI Task Force approval before implementation or material change.

When to Use

  • Before any new AI pilot or production deployment
  • During quarterly risk reviews for active AI use cases
  • During annual strategic planning and portfolio reprioritisation
  • Whenever a Risk Taxonomy 2026 class is affected by a material change (e.g. new regulation, new vendor, new use case category)

Metric 0: AI BoM Pre-Assessment

Complete the AI Bill of Materials (AI BoM) checks before scoring any use case. An incomplete AI BoM invalidates STR-03 results.

| AI BoM Check | Status | Action if Incomplete |

|—|—|—|

| All approved AI tools registered in AI BoM | | Complete AI BoM inventory via STR-07 AI Task Force |

| Shadow AI survey completed (USE-05 Metric 0) | | Run USE-05 Shadow AI baseline before proceeding |

| All vendors under evaluation have provided AI model inventory | | Require AI model inventory per VEN-01 Pass/Fail Criterion 1 and VEN-02 Section 3 |

| Agentic Tier AI in use identified and flagged | | Mark agenticTier: true in AI BoM; apply +2 risk modifier in Section 3 |

Section 1: Five-Dimension Risk Framework

The composite weighted impact score combines five dimensions, each mapped to one or more Risk Taxonomy 2026 canonical classes.

| Dimension | Weight | Primary Risk Taxonomy 2026 Class(es) | Scale |

|—|—|—|—|

| D1: Legal and Professional Responsibility | 35% | Class 2: Privilege and confidentiality; Class 3: Bias and fairness | 1 (Minimal) → 5 (Critical) |

| D2: Technical and Operational | 25% | Class 1: Hallucination and accuracy; Class 9: Operational resilience | 1 (Minimal) → 5 (Critical) |

| D3: Regulatory and Compliance | 20% | Class 7: Regulatory compliance drift; Class 4: Privacy and data protection | 1 (Minimal) → 5 (Critical) |

| D4: Security and Privacy | 15% | Class 4: Privacy and data protection; Class 2: Privilege and confidentiality | 1 (Minimal) → 5 (Critical) |

| D5: Reputational and Business | 5% | Class 6: Shadow AI; Class 5: Supply chain and vendor dependency | 1 (Minimal) → 5 (Critical) |

Composite Weighted Impact Score

(D1 × 0.35) + (D2 × 0.25) + (D3 × 0.20) + (D4 × 0.15) + (D5 × 0.05)

Supplemental Risk Taxonomy 2026 Modifiers

Four canonical classes are assessed as +1 modifiers to the Composite Impact Score when the condition is met.

| Class | Trigger | Modifier |

|—|—|—|

| Class 3: Bias and fairness | Vendor has no documented bias testing protocol | +1 |

| Class 5: Supply chain and vendor dependency | Vendor sub-processor list not disclosed or data portability not contractually guaranteed | +1 |

| Class 6: Shadow AI and policy circumvention | Shadow AI usage detected for this use case category at USE-05 baseline | +1 |

| Class 8: IP and licensing | Vendor IP ownership terms for AI-generated outputs not explicitly documented in DPA | +1 |

Dimension 1: Legal and Professional Responsibility (35%)

Score 1–5 based on:

  • Attorney–client privilege violations or waiver risk
  • Professional malpractice exposure from AI errors
  • ABA Model Rules and state bar ethical compliance (Rules 1.1, 1.6, 5.3, 3.1, 1.5)
  • Client consent and disclosure requirements (GOV-06)
  • Work product and confidentiality protections
  • Competence and supervision requirements

Dimension 2: Technical and Operational (25%)

Score 1–5 based on:

  • AI hallucinations producing false or misleading information (Class 1)
  • System downtime affecting critical legal processes (Class 9)
  • Data quality issues leading to poor AI performance
  • Vendor dependency and potential lock-in (Class 5)
  • Model drift and performance degradation over time (Class 1)

Dimension 3: Regulatory and Compliance (20%)

Score 1–5 based on:

  • EU AI Act requirements for high-risk AI systems (Class 7)
  • GDPR and state privacy law exposure from AI data processing (Class 4)
  • US state AI disclosure and bias audit requirements (Class 7)
  • Court rules regarding AI usage in litigation (Class 7)
  • ABA guidance and state bar ethics opinions on AI (Class 7)

Dimension 4: Security and Privacy (15%)

Score 1–5 based on:

  • Client data exposure through AI processing or storage (Class 4)
  • Unauthorised model training on confidential information (Class 2)
  • Cross-client data contamination or leakage (Class 2)
  • Shadow AI creating unmanaged security risks (Class 6)
  • Third-party vendor data handling practices (Class 5), mitigated by DAT-03 DPA execution

Dimension 5: Reputational and Business (5%)

Score 1–5 based on:

  • Client confidence erosion from AI failures (Class 9)
  • Competitive disadvantage from poorly implemented AI (Class 5)
  • Talent attraction and retention challenges (Class 6)

Section 2: Likelihood Assessment

Final Risk Level = Adjusted Composite Impact Score × Likelihood Score

| Likelihood Score | Probability (12 months) | Indicators |

|—|—|—|

| 5 — Very High | 90–100% | Experimental tech; unvetted vendor; no governance; no legal track record |

| 4 — High | 60–89% | Emerging tech; limited legal adoption; evolving regulation |

| 3 — Moderate | 30–59% | Established tech; some legal implementations; standard controls |

| 2 — Low | 10–29% | Mature tech; proven legal applications; governance frameworks established |

| 1 — Very Low | 0–9% | Well-established tech; deep legal expertise; advanced monitoring |

Likelihood is informed by:

  • Technology maturity (40%)
  • Vendor and market risk (25%)
  • Implementation complexity (20%)
  • Regulatory environment (10%)
  • Organisational readiness (5%)

Section 3: Use Case Risk Profiles and Decision Rights

Key Takeaways

  • Quantify AI use case risk using a five-dimension weighted impact score plus likelihood.

  • Map every use case to all relevant Risk Taxonomy 2026 classes, including supplemental modifiers.

  • Enforce AI BoM and Shadow AI baselines as prerequisites for valid risk scoring.

  • Route High and Very High risk use cases to STR-07 and Board governance with mandatory GOV-03 entries.

  • Apply Agentic Tier modifiers and controls for autonomous AI executors.

  • Use the worksheet and dashboard to maintain a living, auditable AI risk register.

  • Generate DPS-grade defensibility evidence for regulators, clients, and insurers.

Get This Module

This module is available as part of an Advanta Advisory engagement.

Explore Advisory

Module Details

Type

Pillar

P1

Duration

3–6 hours per use case; 2–3 days for full portfolio review

Related Resources

P1 · StrategyModule Library →Take the Maturity Diagnostic →

Share this module

Related Modules

View all Modules →

AI Risk Register

· Initial setup 4–6 weeks; 2–4 hours per quarterly review cycle

P1

ROAI Matrix Framework

· Initial setup 2–4 weeks; 1–2 days per quarter for updates and reporting

P5

Use Case Prioritization Matrix

· 4–6 hours initial workshop; 2–3 hours per quarterly refresh

P1

AI Strategy Canvas

· 4–8 hour facilitated workshop plus 2-week stakeholder sign-off cycle

ADVISORY

Need help implementing this — and the 49 modules around it?

Advanta Advisory works with legal departments to deploy the full Legal AI OS framework — governance design, implementation roadmap, and team capability — structured around your maturity baseline.

Explore Advisory →Run the Diagnostic first
← Back to Module Library