December Compliance Coffee Talk: Top Questions & Scenarios in 2025

Compliance Coffee Talk covers a new topic each month – RSVP for the series.

December:  “What were the top questions & trickiest scenarios we heard this year?” 

For the last session of the year, we brought back three of our favorite, and most experienced risk leader friends to ask them about some of the most common questions and trickiest scenarios we heard this year.

Watch the full replay, or keep scrolling for a summary of some of the key insights and practical tips from the session.

Meet the Experts

• Tamika Puckett: EVP & Public Sector Practice Leader @ Protecdiv.  Former Risk Leader at Zoom, City of Chicago, City of Atlanta, Durham Public Schools
• Bob Marshburn: Nationally recognized Independent Risk & Insurance Consultant, Instructor for IRMI’s CRIS Program, frequent expert witness and speaker
• Thor Benzing: Risk Manager @ California Intergovernmental Risk Authority, where he supports 59 municipalities

We’ll discuss:

• The key themes and challenges they’re seeing this year
• What separates proactive, strategic risk leaders from reactive risk leaders
• Answers to some of the repeat questions we get about setting GL limits, distinguishing low vs high-risk projects, and more
• Advice for handling various real-world scenarios submitted from the audience
• Career advice, lessons they wished they’d learned earlier

---

Key Takeaways

You’ve gotta listen for the real insights, but if you just want a cheat sheet, here are some of our takeaways from the session.

1. Risk environments are always in flux and new risks emerge constantly.

This year, Thor’s seeing two things really jump out:

• Outdated contract and requirement templates are really becoming an issue, with a lot of members finding big exposures created by templates that are 5+ years old.
• Sexual Abuse and Molestation (SAM) exposure is one area where members are having to reassess their exposure and change requirements.

Tamika’s dealt with Cyber and AI related risks for awhile, but the nature is different now.  It’s not just ransomware, it’s new, harder-to-define exposures that are harder to keep up with.  And some of those exposures are created internally by how orgs are using AI tools that aren’t always accurate.

Bob’s seeing a sharp increase in road construction and maintenance claims – way higher frequency and severity, way more high-dollar losses than in the past.

2. What distinguishes proactive, strategic risk leaders?  The basic fundamentals.

It’s the basics.  Claims don’t fail because of obscure issues, but because of a mistake with the fundamentals, like a core contract clause that’s not correct.

Bob’s example was a recent Exxon case where confusion between “coverage” vs “limits of coverage” cost years of litigation and millions of dollars.

Keep in mind – you only get what the contract explicitly requires, nothing more.

Some of the most commonly missed best practices are:

• Indemnification that survives contract termination
• Primary and non-contributory language
• Access to all insurance carried or available to a contractor, including subs

Those are small details, but they matter enormously.

3. Advice for GL limits?  It depends… but it’s often better to be high, then come down… but you also need to know when you should exceed your default.

Thor’s seeing $2-4M as a common starting point – but the key advice is to ask for more first because it’s always easier to come down than go up.

Tamika reminded us that contract value shouldn’t drive limits – exposure should.  Sometimes contract value correlates to exposure, so it’s relevant, but nuclear verdicts and social inflation means $2-4 isn’t enough, so you need to know when you’ve got a project or vendor with that added exposure.  Think in terms of both likelihood and severity.

• Small contracts can still carry high risk.  eg, cranes installing a public Christmas tree.
• Some activities are a good flag for higher limits
  • work involving children
  • large crowds
  • electrical and plumbing
  • any long-tail exposure
• Always require completed operations coverage – not just ongoing operations.

Also…

• Require excess / umbrella where appropriate.
  • ⚠️ Bob’s tip:  Be extremely careful with excess policies.  They are often NOT truly following form, so courts treat them as excess only, not vertical coverage.  If you don’t very, you may think you have $20M when really you only have $2M.
• Don’t rely on COIs – collect the actual additional insured endorsements.  And verify.

4. With existing vendors, increased scope or contract value should trigger a formal reassessment.

This was our scenario of a maintenance vendor taking on much larger install projects (eg, HVAC chiller replacement).  Often, cases like these mean you need to reassess your current requirements with the vendor, often need a new project-specific set of requirements.

💻 Cyber Liability came up in this example too. Anytime a vendor is accessing your network (like if this vendor now accesses the network to monitor equipment, do diagnostics, etc) cyber liability is probably needed.  What triggers cyber is access to either your network, or sensitive data.

5.  With special events, most exposure happens before attendees arrive: moving equipment, workers on site, property damage, etc.

This was our scenario about a vendor pushing back on the coverage period for a large annual fair.

Coverage needs to begin early, end late – the moment setup begins until teardown is complete.  Reminder – sometimes setup begins earlier than you think.  In this example, most of the setup was a week before the event, but some of the larger signage and receiving areas were set up more than a month out.

6. Tree Liability – it’s increasing.

In our scenario, this increased a lot after a pine beetle infestation damaged a lot of the trees on public property.  Thor’s seen this too, with a couple of recent examples of very high verdicts in the tens of millions.

Tips

• Know that the exposure is increasing in many places: More issues with aging trees, extreme wet-dry cycles, infestations, heavier use of owned property, and verdicts are up.
• Maintain a tree inventory
• Use a certified arborist.  In our example, many of the trees looked hazardous / dead after disease swept through, but were fine and would recover.
• Prioritize high-risk, high-traffic areas.  Back to basics – think likelihood and severity.
• Understand that right-of-way vs owned-property exposures are different.

7.  Career Advice:  Learn a little about everything.  Learn constantly. Don’t be afraid to say “I don’t know”.

You don’t have to be an expert at everything, but knowing a little, being able to ask questions, being able to understand how things impact other roles – that can go a long way towards letting you make a bigger, broader impact beyond just your immediate area.

Bob’s been at it for 40 years and he’s still at these sessions every month.  Risks are always changing, you’ve got to always be learning.

It’s always ok to say “I don’t know.”

This is our topic for January’s session with Megan Damato (Greenwich) and Heather Hammons-Riordan (Forsyth County), so make sure you’ve got your invite for Jan 13th.  We’re going to be talking about risk management career paths, what resources are available, becoming a 1st time leader, mentoring your own team, and more. 

As always, let us know if there are topics or questions you’d like to see covered in future sessions.