Vendor Risk Tiering: Setting Insurance Requirements by Risk Level
Inori Team
COI Compliance Experts
Not every vendor requires the same insurance. A demolition contractor tearing down a structure next to an occupied building presents a fundamentally different risk than a landscaping crew mowing the lawn. Requiring $10 million in umbrella coverage from both is either wasteful (for the landscaper, who cannot obtain it affordably) or dangerously insufficient (for the demolition contractor, where $10 million may not be enough).
Vendor risk tiering solves this problem by classifying vendors into categories based on the severity and likelihood of loss their work can produce, then assigning insurance requirements proportionate to that risk.
The Four-Tier Framework
A four-tier model provides enough granularity to capture meaningful risk differences without creating so many categories that the system becomes unmanageable. Each tier corresponds to a risk level and a standard requirement set.
Tier 1: Critical Risk
Critical-risk vendors perform work with the highest potential for catastrophic loss — severe bodily injury, major property damage, environmental contamination, or project-ending events. Their work is characterized by irreversibility, proximity to severe hazards, and the potential for cascading failures.
Typical trades: Demolition, structural steel erection, crane operation, blasting and excavation near structures, asbestos abatement, lead paint removal, high-voltage electrical work, deep foundation work (piling, caissons).
Requirement set:
| Coverage | Minimum Limit |
|---|---|
| Commercial General Liability | $2,000,000 per occurrence / $4,000,000 aggregate |
| Workers' Compensation | Statutory |
| Employers' Liability | $1,000,000 / $1,000,000 / $1,000,000 |
| Commercial Auto | $1,000,000 CSL |
| Umbrella / Excess | $10,000,000 – $25,000,000 |
| Pollution Liability | $2,000,000 (if hazmat involved) |
Provisions: Additional Insured (ongoing + completed ops), Waiver of Subrogation (GL + WC), Primary & Non-Contributory, Per-Project Aggregate. Endorsement copies required — certificate alone is insufficient.
Compliance cadence: Certificates reviewed at onboarding, at every policy renewal, and quarterly spot-checks. Zero tolerance for gaps — any critical gap triggers immediate work suspension.
Tier 2: High Risk
High-risk vendors perform physical work with significant bodily injury or property damage potential. The severity of a worst-case loss is high but generally bounded — a serious accident rather than a catastrophic one. Their work involves recognized construction or maintenance hazards, but not the extreme exposures of Tier 1.
Typical trades: Electrical (standard), mechanical/HVAC, plumbing, fire suppression, elevator installation and maintenance, welding and fabrication, scaffolding, general contracting (non-high-rise).
Requirement set:
| Coverage | Minimum Limit |
|---|---|
| Commercial General Liability | $1,000,000 per occurrence / $2,000,000 aggregate |
| Workers' Compensation | Statutory |
| Employers' Liability | $500,000 / $500,000 / $500,000 |
| Commercial Auto | $1,000,000 CSL |
| Umbrella / Excess | $5,000,000 – $10,000,000 |
Provisions: Additional Insured (ongoing + completed ops), Waiver of Subrogation (GL + WC), Primary & Non-Contributory.
Compliance cadence: Certificates reviewed at onboarding and at every policy renewal. Gaps communicated within 48 hours; resolution deadline of 14 days.
Tier 3: Medium Risk
Medium-risk vendors perform work with moderate physical exposure or provide professional services where an error can produce financial loss. The worst-case loss is material but unlikely to be catastrophic.
Typical trades: Concrete and masonry, painting, flooring, drywall, carpentry, landscaping (with heavy equipment), pest control, cleaning (industrial), technology vendors with data access, consultants and engineers.
Requirement set:
| Coverage | Minimum Limit |
|---|---|
| Commercial General Liability | $1,000,000 per occurrence / $2,000,000 aggregate |
| Workers' Compensation | Statutory |
| Employers' Liability | $500,000 / $500,000 / $500,000 |
| Commercial Auto | $1,000,000 CSL (if applicable) |
| Umbrella / Excess | $2,000,000 – $5,000,000 |
| Professional Liability / E&O | $1,000,000 (if professional services) |
| Cyber Liability | $1,000,000 (if data access) |
Provisions: Additional Insured, Waiver of Subrogation.
Compliance cadence: Certificates reviewed at onboarding and at renewal. Gaps communicated within 5 business days; resolution deadline of 21 days.
Tier 4: Low Risk
Low-risk vendors perform work with minimal physical exposure, limited access to the property, and no access to sensitive data. A worst-case loss is limited in both severity and scope.
Typical trades: Janitorial (standard office), landscaping (lawn care only), courier and delivery services, office supply vendors, vending machine services, security guard services (unarmed), basic IT support (no data access).
Requirement set:
| Coverage | Minimum Limit |
|---|---|
| Commercial General Liability | $1,000,000 per occurrence / $2,000,000 aggregate |
| Workers' Compensation | Statutory |
| Commercial Auto | $1,000,000 CSL (if applicable) |
Provisions: Additional Insured, Waiver of Subrogation.
Compliance cadence: Certificates reviewed at onboarding and at renewal. Gaps communicated within 5 business days; resolution deadline of 30 days.
How to Assign Tiers
Tier assignment should be based on objective criteria, not gut feeling. The following factors determine a vendor's tier:
Nature of the work: What physical hazards does the work involve? Is there fall exposure, heavy equipment, hazardous materials, hot work, or confined space entry? The more severe the potential hazard, the higher the tier.
Proximity to people: Does the vendor work in occupied spaces? Near the public? Near other contractors? Work performed in an unoccupied construction site presents less third-party exposure than work in an operating hospital or retail center.
Contract value: Higher contract values generally correlate with larger scope and longer duration, both of which increase cumulative exposure. A $5 million subcontract warrants higher limits than a $50,000 one, even for the same trade.
Access to sensitive assets: Does the vendor handle personal data, financial information, intellectual property, or building systems (HVAC controls, security systems, fire alarm systems)? Data and system access creates exposures beyond physical hazards.
Historical loss experience: Has this vendor type produced claims in the past? Industry loss data from your carrier, your broker, or industry associations can inform tier placement.
Tier Assignment Matrix
| Factor | Tier 1 (Critical) | Tier 2 (High) | Tier 3 (Medium) | Tier 4 (Low) |
|---|---|---|---|---|
| Hazard severity | Catastrophic | Major | Moderate | Minor |
| Work in occupied spaces | Yes, high-traffic | Yes | Sometimes | Rarely |
| Contract value | > $1M | $250K – $1M | $50K – $250K | < $50K |
| Data / system access | Critical systems | Building systems | Limited data | None |
| Historical claims | Severe / frequent | Moderate | Low | Minimal |
A vendor needs to meet the criteria for only one factor at a given tier level to be assigned to that tier. A landscaping company that operates heavy equipment (medium hazard) and has a $500,000 contract (high contract value) would be assigned to Tier 2 based on contract value alone.
When to Reassess Tier Assignment
Tier assignments are not permanent. Reassess when:
- Scope of work changes: A vendor originally hired for painting (Tier 3) takes on lead paint removal (Tier 1). The tier must change immediately.
- Contract value increases: A small electrical sub with a $100,000 contract (Tier 3) gets a change order that brings the total to $400,000 (Tier 2).
- Incident occurs: A vendor's employee is seriously injured on your site. Even if the vendor was correctly tiered, the incident should trigger a review of whether the tier and its requirements are adequate.
- Annual review: At minimum, review all tier assignments once per year during the program's annual review cycle.
- New vendor category: When you engage a vendor type you have not worked with before, the tier assignment should be made deliberately, not by default.
Escalation Rules by Tier
The urgency and consequence of a compliance gap should correspond to the vendor's risk tier. A gap on a Tier 1 vendor is an emergency. A gap on a Tier 4 vendor is an action item.
| Event | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
| Gap detected | Same-day notification | 48-hour notification | 5-day notification | 5-day notification |
| Resolution deadline | 7 days | 14 days | 21 days | 30 days |
| Escalation trigger | Day 7 | Day 14 | Day 21 | Day 30 |
| Work suspension | Day 14 or immediately for critical gaps | Day 21 | Day 30 | Rarely |
| Contract termination | Day 21 | Day 30 | Case by case | Case by case |
For Tier 1 vendors, a critical gap (missing WC, expired GL, no umbrella) should trigger immediate work suspension — do not wait for the 7-day resolution deadline. The risk of an uninsured catastrophic loss during a 7-day gap window is unacceptable.
Implementing the Framework
Rolling out a tiering framework across an existing vendor program requires a structured approach:
- Inventory your vendors: List every active vendor and their current trade or service category.
- Apply the tier matrix: Assign each vendor to a tier using the objective criteria above.
- Map current requirements to tier requirements: Identify which vendors are currently meeting their tier's requirements and which are not.
- Communicate changes: Vendors whose requirements are increasing need advance notice. Give them 60 to 90 days to adjust their insurance programs.
- Enforce consistently: Once the grace period ends, enforce the tiered requirements uniformly. Selective enforcement undermines the entire framework.
- Track and report: Measure compliance rates by tier. Your Tier 1 compliance rate is the most important number in your program — that is where the catastrophic exposure lives.
A well-implemented tiering framework reduces administrative burden on low-risk vendors, concentrates your compliance team's attention on the vendors that matter most, and ensures that your insurance requirements are defensible if challenged — because they are proportionate to actual risk.
Related Articles
Ready to automate COI compliance?
Start with our free COI checker — no sign-up required. Or try the full platform free.