The true risk of false security

As we all have learned - often the hard way - things aren't always what they seem. In other words, perception isn't always reality. In fact, sometimes it can be just the opposite.

Through surveys and onboarding of new customers, we've learned that misperception can be the result of overlooked, ignored, or unknown issues. When applied to critical risk management issues, the news can be quite a surprise, often leading to misalignment of expectations and risk exposure.

When asked to cite the current compliance percentage of existing COIs, the average response of perceived compliance hovers around 80%. Unfortunately, our experience tells us the client's view of their third-party compliance is often very different from what we discover. When we onboard a new client, we consistently find the true rate of compliance is more in the range of 15-25%. This is invariably caused by one or more of the following:

• A decentralized organization where COIs are collected and retained in multiple locations. Because of this structure, Risk Management never gets a true picture of what the true state of compliance is.
• Failure to replace expired COIs. Most companies do a fair job of collecting a COI, at least the first time. Where things fall off the tracks is at renewal; no one is watching the expiration dates on the COIs and not many make a proactive effort to get replacements.
• No evaluation of the COIs for compliance. It's not enough to collect a COI, it must be compared to the insurance coverage requirements associated with that particular risk or contract. Time and again we see situations where COIs are passively collected and simply filed away.

It could be argued that with a sustained COI compliance rate upwards of 80% most companies would be doing a pretty decent job managing the task internally and would not turn to outside professional compliance management for assistance. Yet they do. This is interesting behavior and actually good news, for it suggests that despite the high compliance rate they assign themselves there is something else moving them toward outsourcing the task. Maybe they subconsciously know that their 80% self-assessment is really only a sand castle. Their risk management alarm is silently ringing and they are acting responsibly by seeking expert assistance with this complex and difficult task.

The real hazard resides with those who believe the 80% number is real when in fact it is not. Here are a few quick questions to ask yourselves before getting too comfortable:

• Is tracking certificates of insurance a priority in your organization?
• Are there best-practices protocols in place for COI collection, evaluation and follow-up?
• Do you have sufficient resources with subject-matter expertise?
• Is data complete, well organized and easily measurable?
• Are third-party insurance requirements standardized by perceived risk and applied uniformly throughout the organization?

If you can answer "yes" to all of these questions there is a high likelihood your 80% estimate is valid. We can only hope to assist those who say it is but really know it isn't.