3 Common Mistakes When Verifying COIs

You may be setting the bar too high for third parties. You may be insisting on "one-size-fits-all." You're surely doing too much manual work.

Third-party insurance verification ensures a vendor or a business partner’s insurer can actually pay for losses or damages. Contracts obligate business partners to maintain some level of coverage, but enterprises have to verify that third parties carry at least enough to protect them from exposure.

Verification is a slow, painful, complicated back-and-forth process that mostly produces marginal results, and some of the enterprises we've talked to say it's just not worth the hassle of chasing down every single one of their partners to verify their insurance.

Here are three common mistakes that enterprises make that cause unnecessary friction and frustration with their third-party insurance verification program.

1. You’re Setting the Bar Too High

From a compliance standpoint, enterprises feel more protected when their legal or risk management team(s) set third-party insurance requirements, but these professionals often err on the side of extreme caution. In doing so, they end up making it nearly impossible for most third parties to comply with their standards.

A research report by Evident found that, for the average enterprise, 75% of third parties -- including vendors, suppliers, franchisees and other partners -- fail to meet contractual insurance requirements. Our data shows that 4% of the third parties that were non-compliant had decided they no longer wanted to meet the company’s insurance requirements for one reason or another. More often than not, compliance would have cost more than they’d actually make from doing business.

There should, ideally, be a trade-off between compliance and coverage. If an enterprise is experiencing lower-than-average compliance rates and losing interest from desirable third-party partners, the enterprise needs to take a long, hard look at their requirements.

Businesses need to strike the right balance between adequate coverage and ability to demonstrate compliance to develop criteria that incorporate not only legal and insurance needs but also business operations. The goal for most risk managers or GRC program operators is to achieve close to 100% compliance, but if the actual figure is closer to 25% (as our data suggests) then there needs to be a right-sizing of insurance requirements.

Start by assessing your partner portfolio and their respective coverages to identify the highest risks, then review any rules or coverage amounts that usually result in an exception request, as these are good indicators of areas where third party partners get stuck in the verification process.

2. You’re Taking a 'One-Size-Fits-All' Approach

Businesses have different expectations for third-party partners, so supplier risk profiles will naturally vary. There’s a strong need to accommodate this variance by instituting a unique set of insurance requirements for each supplier category, but, in most cases, risk managers avoid going this route because they’re worried about adding more manual tasks to their daily operations.

Most corporate risk managers have just one or two blanketed sets of insurance requirements for all of their third parties, which means they’re already using excessive manual intervention because they’re constantly making exceptions and overrides so that their preferred suppliers can continue to participate in their network.

Evident’s average customer has roughly 23 sets of third-party insurance compliance criteria, but some of our customers, like grocery store chains and supply chain businesses, have more than 50 sets of compliance criteria. And it makes sense – you wouldn’t want your IT firm to prove they meet the same set of insurance requirements as your office snack vendor.

A recent study indicated that 42% of businesses are still assessing their third parties using spreadsheet-based questionnaires, and 65% of these respondents are either unsatisfied with this approach or neutral about it. Automated technology solutions offer a robust alternative to accommodating third-party risk variants that’s both safer and easier than using spreadsheets.

See also: Navigating the Future of Risk Management

3. You’re Doing Too Much Manual Work

The burden of tracking down certificates of insurance (COIs) from vendors, suppliers, business applicants, franchisees and other third-party partners typically falls on the risk management team, and, while the goal is a 100% response rate on COI requests, the actual response rate is more like 30% to 40%. Of those who do respond to requests, the ones that are able to demonstrate compliance with the company’s insurance requirements make up an even smaller percentage.

Even if a risk management team obtains a COI, they’re either manually reviewing it themselves or hiring someone else to do it. Either way, it’s an error-prone and inefficient process. It’s also only half the battle, because simply having the COIs on file is not enough to avoid liability. Risk, legal and compliance teams also need to continuously verify that the COIs they’ve collected are valid, up to date and authoritative.

Enterprises are spending too much time and money on manual processes to verify third-party insurance. The insurance industry isn't well-known for its quick adoption of cutting-edge technology, but COIs aren’t going away anytime soon, and we need to have a combination of processes that aren’t clunky and outdated so they can meet today's business needs. Risk managers that let COI tracking technology do the heavy lifting have a lot more time to spend examining and improving the insurance programs that they’ve been hired to manage.


David Thomas

Profile picture for user DavidThomas

David Thomas

David Thomas is the CEO and founder of Evident. He is a cybersecurity entrepreneur and industry expert, having held leadership roles at market pioneers Motorola, AirDefense, VeriSign and SecureIT.

Read More