Policy, Program and Procedures

Hello everyone,

Looking for some insight regarding what your organization's requirements in terms of requesting Certificate of Insurance (COI) from your vendor.

Currently, we request COI for all vendors regardless of risk or criticality levels. As you might know this can be a bit tedious, and some organization only collects COI based on higher criticality/risk levels. 

I'm trying to determine pros and cons to help us determine if we should continue our current process or make some amendments. Thank you!

Our organization focuses on collection and review of COI's for our highest risk third parties, with some consideration currently about including medium risk as well.  There should be consideration given to your portfolio and classification of risks, along with risk tolerance.  COIs are beneficial before the agreement has been finalized, to secure the appropriate coverage level from the third party.  The COI itself alone does not guarantee a firm coverage of losses, in a litigation, the firm would be equally in a position of needing to go the legal path to secure the funds covering the losses.  In addition, the terms and conditions of the agreement should stipulate liability obligations, warranties, and indemnification to hold the third party accountable.  The third parties financial viability becomes a concern/consideration, given that they may hold insurance, but may not have the financial wherewithal to cover losses.  Our company has found that collection of COIs for the low risk vendors is out of scope.

It's a standard third party program requirement for Moderate and higher third parties in our Program.  Additionally, for low risk vendors who do work on site, the facilities manager verifies insurance before work begins, but that is not part of the program.  (painters, construction, lawn care, etc.)