Contractor compliance risk is not a single problem - it's three separate problems that compound each other. Most organizations address one or two and leave the third unresolved.
Gap 1: Weak or incomplete contract insurance requirements. You can't verify compliance against requirements that aren't clearly specified.
Gap 2: COI collection without verification. Collecting a certificate doesn't mean the certificate satisfies your requirements.
Gap 3: No ongoing monitoring. Coverage compliant at contract execution may lapse or be reduced before the project ends.
Close all three gaps and your contractor compliance risk drops materially. Close only one or two and the remaining gap is where your exposure concentrates.
Gap 1: Contract Requirements That Don't Protect You
Three Gaps That Create Contractor Risk
The starting point for contractor compliance is the insurance exhibit in your contract. Most construction subcontracts, service agreements, and vendor contracts contain some version of insurance requirements. The question is whether those requirements are specific enough to protect you.
What weak requirements look like:
- "Contractor shall maintain general liability insurance" (no limits specified)
- "Contractor shall maintain adequate insurance" (no definition of adequate)
- Limits specified but no endorsement requirements (additional insured, waiver of subrogation)
- Additional insured required but entity not named, or named incorrectly
What strong requirements look like:
- Specific limits for each required coverage type ($2M per occurrence CGL, $5M umbrella, statutory workers' comp)
- Additional insured endorsement requirement with your legal entity name and endorsement basis (primary and non-contributory)
- Waiver of subrogation requirement on all applicable policies
- Cancellation notice period (30 days)
- Tail coverage requirement for completed operations
- Remedy language for non-compliance
If your standard subcontract or service agreement insurance exhibit doesn't contain all of these elements, update it. The time to fix requirements is before an incident, not after.
Gap 2: COI Collection Without Verification
The most common failure in contractor compliance programs is treating the receipt of a COI as evidence of compliance.
It isn't. Industry data is clear: 70% of COIs are non-compliant at first receipt. That means most certificates received from contractors have some deficiency - wrong limits, wrong endorsement basis, missing entity, absent waiver of subrogation.
If you're collecting COIs but not verifying them against your contract requirements, you have a compliance-looking program that isn't actually providing compliance.
What proper verification includes:
- Policy dates are current and cover the project period
- Coverage limits meet the contract minimums for each policy type
- Your legal entity is named as additional insured (not your trade name - your legal entity)
- The additional insured basis is primary and non-contributory (if required)
- Waiver of subrogation is reflected
- Umbrella follows form to underlying policies
- Completed operations coverage is included if required
This check, done manually for every COI received from every contractor, is time-consuming. For a 20-contractor project, it's manageable. For a GC managing 50 active subcontracts across multiple projects, it requires either dedicated staff or automated tools.
Contractor COI Verification Quick Checklist:
- Policy dates cover project start through estimated completion
- CGL limits: per occurrence and aggregate meet contract minimums
- Workers' comp: statutory limits present
- Auto: meets contract minimum if applicable
- Umbrella: meets contract minimum, follows form
- Additional insured: correct legal entity named
- Additional insured basis: primary and non-contributory
- Waiver of subrogation: present on applicable policies
- Completed operations: included if required
Gap 3: No Ongoing Monitoring
A subcontractor's policy that was compliant at project kickoff may not be compliant at project month 8. Policies lapse, carriers change, coverage is reduced at renewal without notification to certificate holders.
The structural problem: contractors don't automatically notify you when their coverage changes. Your 30-day cancellation notice provision in the contract provides some protection - but in practice, notification is often delayed or missed.
Practical ongoing monitoring:
- Track each subcontractor's policy expiration date (not the COI date - the policy expiration)
- Set renewal reminders 60 days before each expiration
- Require renewal COIs before the old policy expires
- Verify renewal COIs against current contract requirements (not just that they're current)
- For long projects, verify mid-project that certificates are still accurate
For high-risk subcontractors (structural, mechanical, hazmat, high-value scope), consider more frequent check-ins - quarterly rather than annual.
The ROI of Getting This Right
The Cost of Compliance Gaps
The cost of closing all three gaps is primarily in time and potentially a software investment. The cost of leaving any gap open is probabilistic - but the probability is real.
A single uninsured incident on a construction project - a subcontractor employee injury with an uninsured sub, a defect claim on a project where the responsible sub lapsed their completed operations coverage - routinely exceeds $500,000 in defense costs, settlement, and coverage dispute expenses.
For a construction company managing $10M in annual subcontractor spend, one uninsured incident represents 5% of revenue in unexpected cost. The investment to prevent it is trivial by comparison.
Related Resources
- Who Is Responsible for Verifying Contractor Insurance
- How to Build a Vendor Insurance Compliance Program
- How to Write Insurance Requirements into a Contract
- What Insurance Does a Contractor Need
Bramble closes Gap 2 - the verification gap - by reading your subcontracts and comparing every COI against your actual contract requirements at the clause level. Book a demo at getbramble.com.