September Compliance Coffee Talk: How can risk managers identify which vendors and contracts carry the highest risk?

Compliance Coffee Talk covers a new topic each month – RSVP for the series.

September:  “How can risk managers identify which vendors and contracts carry the highest risk?” 

Prioritizing risks is impossible if you can’t determine which vendors and contracts are higher risk vs which are lower risk. Or if you have high-risk contracts that create exposure with even low-risk vendors, or vice versa.

We get questions about this all the time from customers – Evident gives them much more visibility across vendors and contracts; so now they can better segment, sort, and prioritize by risk level, but risk managers often want advice for what criteria to use when assigning risk levels to their contracts and vendors.

☕️ So that’s what we’re tackling in September’s Compliance Coffee Talk – How can risk managers identify which vendors and contracts carry the most risk? ☕️

Watch the full replay, or keep scrolling for a summary of some of the key insights and practical tips from the session.

Meet the Experts

• Noelle McCall, Co-founder at Contract Risk Academy [Email] [Calendar]
• Tiffany Harris, Risk Manager at City of Denton

We’ll discuss:

• Contractual risk vs project risk
• Why contract value is a poor proxy for risk level
• The most commonly missed issues in contracts and insurance coverage
• Types of vendors and projects that typically carry the most risk
• Standard templates for vendor risk assessments and insurance requirement checklists
• Best practices for granting exceptions, and red flags to avoid
• Managing risks associated with sub-contractors
• Assessing risk levels and insurance requirements for special events

---

Key Takeaways

1. Don’t rely solely on contract value as a proxy for risk level – consider the actual service and potential exposure.

Relying on dollar amounts alone means you’ll miss high-risk, low-dollar contracts—especially those involving vulnerable populations or physical risks.

“It’s not always just about the contract cost, it’s really about the services being performed.”
— Tiffany

2. Use templates and repeatable risk assessment frameworks to help identify specific sources of risk.

Use tools like exposure-specific checklists to guide what insurance is required, tailored to what vendors are actually doing, not just who they are.

“The main thing I’m looking for are ingredients to the specific risk exposures that those vendors are bringing in… like, are they using drones? Working underground? Giving professional advice?”
— Noelle

Here are some checklists and templates from Noelle and Contract Risk Academy:

• Request for Insurance Requirement Template
• Vendor Risk Exposures Matched to Insurance Type
• Vendor Insurance Exception Review Checklist

3.  Exceptions should be documented, never arbitrary, and balanced by common sense.

Not all vendors can (or should) meet your insurance requirements, and it’s practical to consider reasonable exceptions that might make sense. But risk-based exceptions should be deliberate—not reactive or arbitrary.

“There are red flags that should make you pause before granting an exception… If they push back on covering something critical to their primary area of work, that’s a huge issue.”
— Noelle

4. Don’t overlook sub-contractors: require downstream coverages and requirements, and get info on subs.

Though you aren’t contracting directly with a subcontractor, you can require your primary vendor to extend coverage requirements downstream.  Ensure your contracts require vendors to either (1) cover their subs under their policy, or (2) ensure subs carry their own insurance that meets your terms.

Another tip:  During RFPs, ask people to list who their contractors are for your review so you can flag concerns early.

“Engage really early in the process, before the RFP. It’s okay in your scope, when you’re asking for bids, for people to list out who their subcontractors are.  They might work with some subs that you know are risky – Absolutely not. I don’t want them pouring concrete here.”
— Tiffany

5. Never rely solely on COIs – get endorsements and verify coverage.

Most liability failures come down to relying on generic COIs without verifying actual coverage.  If using a verification system, make sure it’s reviewing and verifying actual documents, not just tracking docs and checking boxes.  BTW, this is one of the reasons risk managers love Evident ;).

“You can’t rely on the certificates of insurance alone to determine if and how coverage actually applies.”
— Noelle

6.Get the key endorsement wording and coverages right in the contract.

This is another area where Evident can help you verify actual coverages, not just collect documents and hope they’re correct.

“The three most critical commonly required are: (1) additional insured, (2) waiver of subrogation, (3) and primary and non-contributory.”
— Noelle

7. Update contracts and requirement templates regularly – what worked 5 years ago might not work now.

And engage your insurance broker early and often when you’re looking at contracts and requirement templates.  They can give some really great advice, and often might have better insight on changing best practices.

“Make sure to have an insurance expert update the insurance requirements based on current best practices for the types of vendors you’re doing work with, at least every 3 to 5 years, because you want to make sure that you’re keeping up with the changes in the insurance industry.”
— Noelle

“Engaging with your broker and carrier is super important. If you have a direct relationship with underwriters, I think that’s helpful, because they get a lot of insight on the actual value of the claims that come in to help you understand where you should be setting your limits.”
— Tiffany