Sorai
Decision-Grade Review
Risk Scoring
Jan 25, 2026 · 15 min read · Sorai Editorial · M&A Diligence Research · Updated Mar 30, 2026
M&A risk scoring helps deal teams rank findings, compare domain risks, and turn diligence evidence into clearer IC decisions without losing source-level context.
Quick answer
AI risk scoring in M&A due diligence helps deal teams prioritize findings, compare risk across workstreams, and present a clearer recommendation to the investment committee. McKinsey and Deloitte both point to the same practical use case: GenAI is most useful when it helps teams structure large volumes of evidence, highlight exceptions, and keep decision support tied to the underlying record.
Deal teams rarely struggle to produce findings. They struggle to decide which findings matter most, which ones should change the economics of the deal, and which ones simply require monitoring. That is the problem risk scoring is meant to solve.
A raw diligence issue list can be useful for the workstream leads who live in the detail every day. It is much less useful for an investment committee that needs to make a directional decision under time pressure. A scoring framework gives the team a way to convert a large body of evidence into a clearer view of relative severity, decision relevance, and next actions.
McKinsey has pointed to diligence, synthesis, and decision support as some of the clearest early applications for generative AI in M&A because they require teams to process large volumes of evidence quickly and consistently [McKinsey & Company, "Gen AI: Opportunities in M&A," May 2024]. Deloitte's 2025 M&A generative AI study reinforces the same trend from the field: firms are using GenAI in live workflows, not only in isolated experiments [Deloitte, "2025 GenAI in M&A Study," 2025].
Most diligence processes still rely on a familiar output: a long list of issues, often tagged high, medium, or low. That format is better than nothing, but it breaks down in three predictable ways.
Two issues can both be tagged high risk for very different reasons. One may be financially material and immediate. Another may be legally important but highly manageable through consent, covenant, or indemnity language. If both appear as simply "high," the committee still has to reconstruct the decision logic from scratch.
Financial, legal, tax, and commercial reviewers do not always mean the same thing when they say a finding is material. Without a common rubric, the combined output is harder to interpret than it needs to be.
The same underlying problem often appears multiple times across the deal record. Customer concentration may show up in the QoE, in key contract review, in forecast fragility, and in integration planning. If the issues are not connected, the team can understate or overstate the true risk.
A useful risk score is not an oracle. It is a structured way to prioritize findings so the team can explain what matters, why it matters, and what the buyer should do next.
In practice, strong scoring frameworks usually combine four elements.
How much could this issue affect value, cash flow, structure, timing, or post-close execution if left unresolved?
How confident is the team that the issue is real and decision-relevant, based on the current evidence?
Does the issue matter before LOI, between LOI and sign, at closing, or only after close? Timing changes how the buyer should react.
Can the risk be priced, papered, diligenced further, or managed operationally, or is it fundamentally outside the buyer's control?
Those dimensions matter because not every risk requires the same response. Some should change the purchase price. Some should change the structure. Some should change the workplan. Some should stop the process.
The categories vary by firm, but most buy-side teams eventually score across a similar set of domains.
This includes earnings quality, cash conversion, working capital behavior, debt-like items, customer concentration, and the repeatability of margin or growth assumptions. Financial risk matters because even a sound business can be mispriced if the cash profile is weaker than management's presentation suggests.
This usually includes change-of-control terms, assignment restrictions, unusual indemnities, termination rights, consent requirements, litigation exposure, and corporate authority issues. Legal risk often becomes most important when a problem can delay closing or reduce the buyer's control over the asset immediately after close.
Here the questions are often about filing posture, entity structure, indirect tax exposure, transfer pricing, NOL limitations, licensing requirements, data handling, or other compliance obligations. Some of these issues are manageable, but they need to be identified early because remediation can affect timing and structure.
Commercial risk asks whether the revenue and market story is durable. That can include customer churn risk, end-market concentration, pricing pressure, channel dependency, and competitive exposure. These are not always visible from a narrow document read, which is why the commercial layer often needs to be interpreted alongside the financial and contractual evidence.
AI is not valuable here because it magically predicts deal outcomes. It is valuable because it helps teams structure the evidence base more consistently.
When different advisors and internal reviewers describe issues in different ways, the first job is normalization. AI can help cluster similar findings, identify overlap, and map issues into a shared taxonomy. That makes the combined record easier to interpret.
McKinsey's 2026 work on higher-performing M&A AI programs emphasizes embedding AI in real processes rather than using it as a detached summarization layer [McKinsey & Company, "Gen AI in M&A: From theory to practice to high performance," January 2026]. In risk scoring, that means a score should never live on its own. It should remain tied to the underlying contracts, financial schedules, tax files, notes, and reviewer comments that produced it.
AI is useful when the same underlying issue appears in multiple places. A customer concentration problem, for example, may drive financial exposure, contractual consent risk, forecast sensitivity, and integration dependence on one relationship. A human team can connect those points, but it takes time. AI can help surface the linkage earlier.
Large diligence processes generate more issues than a senior team can discuss in depth. A scoring framework supported by AI can help bring the most decision-relevant issues to the top, provided the underlying rubric is explicit and the evidence remains visible.
See the workflow
Sorai keeps extraction, source evidence, and issue review connected so AI output does not break when the partner questions start.
The best risk-scoring workflows are operationally simple even if the underlying data model is sophisticated.
Bring the issue set from the workstreams into one record. That includes advisor findings, internal notes, extracted evidence, and open questions.
Map issues into a shared structure so the team can compare like with like. A change-of-control consent issue should not sit in an unrelated bucket just because it came from a legal memo instead of a central register.
Use a repeatable framework for materiality, likelihood, timing, and controllability. The exact scale can vary by firm. What matters is consistency.
Reviewers should be able to challenge the score, annotate the rationale, and identify where multiple issues stem from the same root cause.
Senior reviewers usually need both perspectives: domain-level heat by workstream and a cross-workstream view of the few issues most likely to change the decision.
Investment committees usually do not need a mathematically elegant score. They need a defensible answer to four questions:
Risk scoring is helpful when it sharpens those answers. It is unhelpful when it turns the discussion into a debate about the number itself.
A strong IC summary typically includes:
That is a much more useful decision package than a long appendix of findings with no consistent ordering logic.
There are four common mistakes to avoid.
Scoring is a framework for judgment, not a substitute for it. Experienced reviewers still need to decide whether the evidence is complete, whether the issue is truly decision-relevant, and whether the proposed mitigation is realistic.
A score with decimals can look rigorous while hiding weak assumptions. The model should help the team reason better, not pretend the uncertainty disappeared.
The same issue can mean different things in different sectors. Customer concentration, licensing exposure, or contract-transfer risk must always be interpreted in context.
A composite score can be useful, but only if the team can still see which domain is driving the result. Otherwise the number becomes harder to act on.
If a team is using software or AI to support risk scoring, the control model matters more than the dashboard design.
The team should know what is driving the score and be able to adjust the framework when the situation changes.
Every meaningful score should be reversible back to the findings and evidence underneath it.
Reviewers need the ability to challenge and revise both the issue classification and the score.
Scores change as diligence progresses. The system should preserve who changed a score, why it changed, and what new evidence caused the update.
Sorai is built around the operating record between evidence gathering and senior review. In a risk-scoring workflow, that means findings, supporting documents, reviewer comments, and escalation decisions stay connected instead of being split across disconnected workpapers. The goal is not only to generate a score. It is to give the team a decision framework that can still be challenged, explained, and audited later.
M&A risk scoring works when it turns a fragmented diligence record into a structured decision tool. AI helps by normalizing issues, highlighting overlap, and keeping the scoring logic attached to the evidence. It does not replace specialists or committee judgment. It makes that judgment easier to apply consistently, which is what serious buyers actually need.
Sources cited
Author
Editorial review team for Sorai's public diligence content
The editorial team translates public primary-source research and Sorai's workflow perspective into material designed for private equity, corporate development, and transaction advisory readers.
Frequently asked questions
A risk score is a structured way to prioritize diligence issues. It usually combines the seriousness of a finding, the likelihood that it matters, the amount of evidence behind it, and the timing or controllability of the issue. The goal is not to predict the future with precision; it is to help the team focus on the issues most likely to affect price, structure, timing, or the decision to proceed.
Strong teams measure risk through a repeatable rubric rather than instinct alone. Findings are grouped by workstream, linked to evidence, assessed for materiality and urgency, and then compared in a way that lets reviewers see both the domain-level picture and the underlying drivers.
There is no universal threshold. A sponsor, strategic acquirer, and minority investor may all score the same issue differently because their risk appetite and control rights differ. The useful approach is to define the decision thresholds internally and make the rationale explicit before the committee discussion starts.
No. AI can organize evidence, cluster findings, and speed first-pass prioritization, but it does not replace the judgment of experienced financial, legal, and tax advisors. The best workflow is AI-supported review with human validation, challenge, and escalation.
Because long issue lists often bury the most important problems inside undifferentiated notes. Scoring helps the team explain which issues matter most, why they matter, and what action the buyer should take next.
From article to workflow
Use the platform and workstream pages to see how Sorai turns AI-assisted review into a decision-grade diligence record.
Relevant workflow
See how Sorai connects evidence, issue ownership, and senior review in one operating record.
Relevant workflow
Review the financial workflow for QoE, cash flow, and working capital analysis.
Relevant workflow
See how Sorai handles contracts, clauses, and linked legal review.
Related reading
Due Diligence
Due diligence in M&A is the buyer's systematic investigation of a target company's financial, tax, legal, and operational position before closing. This guide covers every workstream, timeline, and checklist.
Pre-LOI
Pre-LOI due diligence helps buyers test the deal thesis, identify the highest-risk issues early, and decide whether to proceed, pause, or narrow the scope before exclusivity begins.
Quality of Earnings
A buyer-focused guide to quality of earnings analysis in M&A, including what QoE actually tests, which findings change price and terms, and how to run the work under deal pressure.