One of the most fundamental goals of any risk management program is to control risk through transference of liability away from you and onto another entity. Typically, this is achieved through contract, where specific insurance requirements are imposed on the third-party.
This works well in theory, but the process is rife with opportunity for failure. Unfortunately, in the case of complex transactions such as those involving certificates of insurance (COIs) and related documentation, the results can often be considerably less than stellar. It is easy for essential items to be overlooked, or not given the priority and importance they deserve. In the end, you could be wasting precious resources on a task that achieves little of the original objective.
Identifying and managing four central control points can be critical in replacing poor outcomes with positive results:
1. Good Data – As obvious as it seems, we repeatedly see significant gaps in the information necessary to properly implement a risk transfer program. A good starting point is to simply look at the information on a COI. There are actually four players represented – the insured (vendor, tenant, etc.), the insured's broker, the insurance company (ies) used by the insured and the certificate holder (you). This information provides the starting point for all else that follows. From revealing basic contact information to identifying the insurance carrier(s) and ensuring that the certificate holder is properly named, the COI itself can be an useful guide in gathering the necessary data.
2. Requirements – You cannot properly transfer risk without evaluating it, and risk is relative to the activities of the individual insured. From this follows the obvious fact that different risks should carry different insurance coverage requirements. After identification of the insureds, each must be assigned its own requirements on a case-by-case basis. This task will be greatly assisted in those instances where a contract is in place and the insurance requirements are explicitly spelled out. In those cases where there is no contract the risk manager must evaluate what is adequate and reasonable based upon the perception of risk inherent in the activities of the insured. Insurance requirements should be rationally and uniformly determined. In other words, don't give two insureds performing the same activities different requirements, and don't overreach by asking for requirements not contained in the contract.
3. Enforcement – If you don't enforce your own rules then there is no point to the whole exercise. We have seen more than a few instances where risk managers simply go along with whatever the insured's existing insurance coverage is. This is not compliance, it is acquiescence. It is also a formula for guaranteeing that sooner or later there will be a claim that comes back to haunt you. Enforcement requires that you engage with the insured and its broker and insist that your requirements are met. This can be challenging and sometimes unpleasant so there is a natural tendency to avoid the discussion. Don't give in, or give up. Just do it.
4. Analysis – It is essential you keep score. If it's not measured it's not managed. Ask who is in compliance with your requirements and who is not. Where are the gaps? What COIs are coming up for expiration and must be replaced? Who is ignoring my requests altogether? Whatever your system, be it spreadsheets, white boards or a sophisticated COI tracking system, you must have a continually current, reliable reporting capability. Without it, you will fail.
Complex business processes can often seem overwhelming - too many moving parts, too little time, inadequate resources, no efficient system. Adherence to these four components will assist in setting a course and staying on it.
To download an infographic of today's discussion, click here.