General contractors hand 70% to 80% of every project dollar to subcontractors. When a sub fails mid-project, the GC absorbs the delay costs, the re-procurement expenses, and the reputational damage. Risk assessment exists to catch those failures before they happen.

This guide breaks down how to evaluate subcontractor risk across five critical dimensions, build a scoring matrix that actually works, and use compliance technology to automate what used to take weeks of manual vetting.

What Risk Assessment Means for General Contractors

Risk assessment in subcontractor management is the systematic process of identifying, measuring, and prioritizing threats a subcontractor poses to your project. It goes beyond gut feelings and past experience. It requires structured evaluation across financial stability, safety performance, insurance adequacy, operational capacity, and legal standing.

The goal is not to eliminate risk. That is impossible. The goal is to understand the specific risk each sub brings so you can price it, mitigate it, or walk away from it.

A 2024 Dodge Construction Network survey found that 62% of project delays trace back to subcontractor performance issues that were visible in prequalification data but never flagged. The problem is not a lack of data. It is a lack of structured assessment.

The Five Risk Categories Every GC Must Evaluate

1. Financial Risk

Financial failure is the most catastrophic subcontractor risk. When a sub runs out of money mid-project, work stops immediately.

Key indicators to assess:

Bonding capacity. A sub's bonding limit reflects the surety's confidence in their financial health. A $5M bonding capacity on a $4.8M scope should raise flags.
Credit scores and payment history. Dun & Bradstreet PAYDEX scores below 50 indicate chronic slow payment to suppliers.
Work-in-progress reports. Over-billing on current projects often signals cash flow problems.
Bank references and financial statements. Reviewed or audited statements from the past two fiscal years reveal trends.

2. Safety Risk

Safety failures create OSHA citations, project shutdowns, worker injuries, and wrongful death lawsuits.

Key indicators to assess:

TRIR (Total Recordable Incident Rate). Industry average for specialty trades hovers around 3.0. Subs above 5.0 warrant extra scrutiny.
EMR (Experience Modification Rate). An EMR above 1.0 means the sub's claims history is worse than average. Above 1.3, many GCs auto-disqualify.
OSHA citation history. Serious and willful violations in the past three years are red flags that do not fade.
Written safety programs. Confirm they have site-specific safety plans, toolbox talk documentation, and an active safety officer.

3. Insurance Risk

Inadequate insurance coverage transfers risk directly to the GC.

Key indicators to assess:

Coverage limits. Do they meet your project's minimum requirements? A $1M general liability policy is often insufficient for mid-size commercial work.
Additional insured status. Confirm the GC is named as additional insured on the sub's policy.
Policy expiration dates. Policies that expire mid-project create coverage gaps.
Workers' compensation coverage. Verify coverage is active in every state where work will be performed.

4. Operational Risk

A sub may be financially stable and safe but still lack the capacity or experience to execute your scope.

Key indicators to assess:

Current workload. A sub committed to 90% of their bonding capacity may not have the bandwidth for your project.
Workforce availability. Can they staff your project with qualified tradespeople during the required timeline?
Equipment ownership vs. rental. Subs who own their major equipment have lower cost variability.
Similar project experience. A residential electrical sub bidding a hospital project is a red flag, regardless of their financials.

5. Legal Risk

Past legal problems often predict future legal problems.

Key indicators to assess:

Active litigation. Pending lawsuits, especially from other GCs, signal contract disputes.
License status. Verify active licensure in the project jurisdiction. Expired or suspended licenses are non-negotiable disqualifiers.
Lien history. Subs who file mechanics' liens frequently may use them as leverage rather than dispute resolution.
Debarment status. Check federal and state debarment databases. A debarred sub is legally ineligible for public work.

How to Build a Probability and Severity Risk Assessment Matrix

A risk matrix maps the likelihood of a risk event against the severity of its impact. For subcontractor evaluation, this framework converts subjective assessments into numerical scores.

Step 1: Define Your Probability Scale

Score	Probability	Description
1	Rare	Less than 5% chance based on historical data
2	Unlikely	5%-20% chance; isolated indicators present
3	Possible	20%-50% chance; multiple warning signs
4	Likely	50%-80% chance; strong pattern of issues
5	Almost Certain	Above 80% chance; active problems in progress

Step 2: Define Your Severity Scale

Score	Severity	Project Impact
1	Negligible	Less than $10K impact, no schedule delay
2	Minor	$10K-$50K impact, up to 1 week delay
3	Moderate	$50K-$200K impact, 2-4 week delay
4	Major	$200K-$1M impact, 1-3 month delay
5	Critical	Over $1M impact, project viability at risk

Step 3: Calculate Risk Scores

Multiply probability by severity for each risk category. A sub with a financial risk probability of 4 and severity of 5 scores 20 out of 25 in that category.

Step 4: Set Thresholds

1-5: Low risk. Standard contract terms apply.
6-12: Moderate risk. Enhanced monitoring, possibly additional bonding.
13-19: High risk. Senior management review required before award.
20-25: Critical risk. Do not award unless extraordinary mitigation is in place.

The Compliance Scorecard Approach

Manual risk assessment works for five or ten subs. It collapses at fifty or five hundred. Compliance scorecard platforms automate data collection, scoring, and monitoring across your entire subcontractor pool.

How it works:

Data ingestion. The platform collects insurance certificates, safety records, financial references, licenses, and OSHA history directly from subs and third-party databases.
Automated scoring. Each data point maps to a risk score using your custom weighting. Safety-critical trades can weight EMR more heavily. High-value scopes can weight bonding capacity higher.
Continuous monitoring. Unlike point-in-time prequalification, compliance platforms flag changes in real time. An insurance lapse, a new OSHA citation, or a bond rating downgrade triggers an alert before it becomes a project problem.
Dashboard reporting. Project teams see risk scores by sub, by trade, and by project in a single view.

SubcontractorAudit's compliance scorecard aggregates data from over 40 sources and updates risk scores daily, replacing the spreadsheet-based systems that most GCs still use.

Common Risk Assessment Mistakes

Relying on the bid price as a proxy for risk. The lowest bidder is not automatically the riskiest, and the highest bidder is not automatically the safest. Risk assessment must be independent of pricing.

Treating prequalification as a one-time event. A sub that qualified 18 months ago may have lost key personnel, taken on excessive work, or let insurance lapse. Risk is dynamic. Assessment must be continuous.

Ignoring trade-specific risk factors. Roofing subs have different risk profiles than mechanical subs. A generic risk form that treats all trades identically misses critical nuances.

Skipping reference checks. Financial statements and safety records tell you what happened. References from other GCs tell you how it felt to work with the sub, which is often more predictive.

Frequently Asked Questions

What is the difference between risk assessment and prequalification? Prequalification is a pass/fail gate at the front end. Risk assessment is an ongoing evaluation that quantifies the degree of risk a sub presents. Prequalification answers "can this sub work for us?" Risk assessment answers "how much risk does this sub bring, and how do we manage it?"

How often should GC risk assessments be updated? At minimum, annually for all active subs. For subs on active projects, quarterly reviews catch emerging issues. Continuous monitoring platforms update risk scores in real time as new data becomes available.

What risk assessment score should disqualify a subcontractor? There is no universal cutoff. Most GCs set thresholds based on project value and complexity. A sub that scores in the high-risk range on a $500K project might be acceptable with enhanced monitoring. The same score on a $50M project is likely a disqualifier.

Can small GCs afford structured risk assessment? Yes. Cloud-based compliance platforms have reduced the cost from six-figure enterprise implementations to monthly subscriptions accessible to firms running $10M to $50M in annual revenue.

How does risk assessment integrate with bonding requirements? Bonding provides financial backstop for subcontractor default. Risk assessment identifies the likelihood of needing that backstop. High-risk subs may require performance bonds even when your standard practice is to bond only scopes above a certain dollar threshold.

What role does technology play in modern risk assessment? Technology automates data collection, standardizes scoring, enables continuous monitoring, and provides portfolio-level visibility. Manual processes cannot match the speed, consistency, or coverage of platform-based assessment.

Move From Gut Feel to Scored Risk

Every GC has a story about the sub who "seemed fine" until they were not. Risk assessment replaces anecdotes with data and replaces hope with process.

Request a demo of SubcontractorAudit to see how automated compliance scorecards turn subcontractor risk assessment from a quarterly spreadsheet exercise into a continuous, data-driven advantage.