A vendor insurance compliance program is not a spreadsheet and a folder of COIs. It's a systematic process that identifies your vendor risk exposure, establishes contractual requirements calibrated to that exposure, collects and verifies proof of compliance, and monitors it continuously.
Most organizations have some version of the first two components. Where programs fail is in the third and fourth.
Component 1: Vendor Risk Tiering
Not all vendors carry the same risk. Your first step is categorizing your vendors by the nature and magnitude of the risk they create.
High-risk vendors perform physical work at your locations, interact directly with your customers, handle sensitive data, or create liability exposure that could result in significant claims. Examples: construction contractors, maintenance vendors, food service providers, IT service providers with system access.
Medium-risk vendors provide services with moderate liability potential - deliveries, landscaping, professional services where errors could cause financial harm.
Low-risk vendors provide remote services with minimal physical liability - software subscriptions, marketing services, consulting without physical presence.
Insurance requirements - coverage types, limits, endorsements - should scale with risk tier. A high-risk contractor performing on-site structural work needs higher limits and more specific endorsements than a low-risk remote software vendor.
Component 2: Contract Insurance Requirements
For each vendor tier, establish standard insurance requirements that go into your contracts. These must be specific:
Required coverage types: List each policy type - commercial general liability, workers' comp, auto, umbrella, professional liability, etc.
Minimum limits for each: State numbers, not "adequate" or "sufficient." $2M per occurrence / $4M aggregate is a requirement. "Adequate GL" is not.
Endorsement requirements: Additional insured (with entity names and endorsement basis), waiver of subrogation, cancellation notice period.
Duration: Coverage must be maintained throughout the contract term plus a tail period for completed operations (typically 2-5 years for construction).
Proof of coverage obligation: The vendor must produce a COI before work begins and at every renewal.
Remedy for non-compliance: What you can do if the vendor fails to maintain required coverage - suspension of work, withholding payment, termination.
See our detailed guide on how to write insurance requirements into a contract.
Component 3: COI Collection
Collection is the operational layer - getting COIs from vendors before they start work and at every renewal.
Onboarding trigger: Every new vendor relationship triggers a COI request before work begins.
Renewal tracking: Every vendor's policy expiration date is tracked, and renewal requests are sent 60 days before expiration.
Clear submission process: Vendors should have a clear, easy way to submit documents - email address, vendor portal, or both.
Follow-up protocol: Define what happens at 30 days, 14 days, and day-of-expiration if a vendor hasn't responded. Who escalates? What are the consequences?
COI Collection Program Checklist:
- Onboarding checklist includes COI requirement before work begins
- Each vendor's policy expiration date is recorded and tracked
- Automated or manual reminders sent at 60/30/14 days before expiration
- Defined escalation for non-responsive vendors
- Document submission process is clear for vendors
Component 4: COI Verification
This is where most programs fail. Collecting a COI is not verification. Verification means comparing every COI against the specific requirements in the vendor's contract.
What to check:
- Policy dates are current
- Coverage limits meet the contract minimums for each policy type
- Your entity is named as additional insured with the correct legal name
- The additional insured basis matches the contract requirement (primary and non-contributory)
- Waiver of subrogation is reflected where required
- Umbrella follows form to underlying policies
The challenge at scale: doing this manually for 50+ vendors is operationally burdensome. The 70% first-receipt non-compliance rate means most COIs need some correction - which means the review step is high-touch.
Automated contract-to-COI comparison tools (like Bramble) handle this at scale: the AI reads both the contract and the COI, identifies the gaps, and surfaces specific deficiencies for your team to act on.
Component 5: Ongoing Monitoring
A COI compliance program doesn't end when a vendor submits their first certificate. Policies change, carriers change, vendors sometimes let coverage lapse without notifying you.
Expiration monitoring: Know when each vendor's policy expires and have a system to request renewals before they lapse.
Mid-term changes: Vendors occasionally have mid-term cancellations (for non-payment), carrier changes, or limit adjustments. Real-time carrier data services (like Certificial) can alert you to mid-term changes.
Contract changes: When you renew or amend a contract and insurance requirements change, verify the current COI against the new requirements.
Post-incident review: When an incident occurs involving a vendor, immediately verify their insurance status and document the compliance history.
What a Mature Program Looks Like
A mature vendor insurance compliance program has:
- Tiered requirements defined and documented
- Standard contract insurance exhibits for each tier
- Automated COI collection triggered by vendor onboarding
- Contract-level COI verification (AI-assisted or manual)
- Expiration tracking with automated renewal reminders
- Defined remediation workflow for non-compliant vendors
- Audit trail for all compliance activity
- Annual program review to update requirements for risk changes
Most organizations are at "collect some COIs and hope they're right." The gap between that and a mature program is where your incident exposure lives.
Related Resources
- What Is Vendor Risk Management
- How to Write Insurance Requirements into a Contract
- How to Reduce Contractor Compliance Risk
- Third-Party Risk Management and Insurance
Bramble operationalizes the verification layer of your vendor insurance compliance program - reading contracts and comparing every COI against what you negotiated. Book a demo at getbramble.com.