The Rule and Score is as follows:
===============================================
RULENAME Score Advice Priority
Exception User Check 30 ALLOW 1
Untrusted IP Check 100 DENY 2
Negative Country Check 100 DENY 3
Trusted IP/Aggregator Check 30 ALLOW 4
Unknown User 50 ALERT 5
Unknown DeviceID 65 INCREASEAUTH 6
User Not Associated with DeviceID 65 INCREASEAUTH 7
Device MFP Not Match 65 INCREASEAUTH 8
User Velocity Check 65 INCREASEAUTH 9
Device Velocity Check 65 INCREASEAUTH 10
===============================================

Is the following concept correct for risk evaluation?
===============================================
The risk evaluation rules are evaluated in the order of Priority in the table.
Priority 1 and 4: Risk Score 30 Advice is ALLOW, so OTP authentication is not required and authentication is OK when it is applicable.
Priority 2 and 3 are DENY with a Risk Score of 100 Advice. So, authentication fails when this is the case.
Priority 5 has Risk Score: 50, Advice: ALERT. authentication is neither OK nor NG, so the evaluation of Rule after Priority 6 continues.
Priority 6 to 10 require OTP authentication when any of them are applicable.
===============================================  

Release : 9.1

Component : Risk Authentication

Is the following concept correct for risk evaluation?
===============================================
The risk evaluation rules are evaluated in the order of Priority in the table.

--> This is correct, the rules are executed sequentially and Matched Rule will be the first one which triggers that rule.

Priority 1 and 4: Risk Score 30 Advice is ALLOW, so OTP authentication is not required and authentication is OK when it is applicable.

--> Yes if any of the Allow rules are triggered then OTP authentication will not be needed but if any ALLOW rules are down the order from any other INCREASEAUTH rule and INCREASEAUTH rule triggered then the user has to go through the OTP.

Priority 2 and 3 are DENY with a Risk Score of 100 Advice. So, authentication fails when this is the case.

--> Yes the transaction will fail in this case.

Priority 5 has Risk Score: 50, Advice: ALERT. authentication is neither OK nor NG, so the evaluation of Rule after Priority 6 continues.

--> In Siteminder integrated environment this is a non issue as if user is not found it will be blocked from going ahead and Risk evaluation will not be done but in normal scenarios you can configure what step up you want to provide if Advise is ALERT like for score 65 it can be OTP but for 50 it can be QnA . This is not applicable for your environment but can be done.

Priority 6 to 10 require OTP authentication when any of them are applicable.

--> Yes the INCREASEAUTH rule will trigger the OTP authentication as a second factor.
===============================================  

There will be situations where none of the rules triggered and in that case the Transaction will be ALLOWED as well and no step up will be needed, that situation will signify that the transaction is not risky.